§ 33-105
622 words·~3 min read·
/md/insurance/33-105A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
§33–105.
(a)A carrier shall notify the Commissioner as promptly as possible but in no event later than 3 business days from a determination that a cybersecurity event has occurred when either of the following criteria has been met:
(i)the State is the carrier’s state of domicile; and
(ii)the cybersecurity event has a reasonable likelihood of harming a consumer residing in the State or any material part of the normal operations of the carrier; or
(2)the carrier reasonably believes that the nonpublic information involved is of 250 or more consumers residing in the State and either of the following circumstances is present:
(i)a cybersecurity event impacting the carrier has occurred for which notice must be provided to a government body, self–regulatory agency, or any other supervisory body under state or federal law; or
(ii)a cybersecurity event has occurred that has a reasonable likelihood of materially harming:
1. a consumer residing in the State; or
2. a material part of the normal operation of the carrier.
(b)The carrier shall provide as much of the following information as reasonably possible:
(1)the date of the cybersecurity event;
(2)a description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third–party service providers, if any;
(3)how the cybersecurity event was discovered;
(4)whether any lost, stolen, or breached information has been recovered and, if so, how this was done;
(5)the identity of the source of the cybersecurity event;
(6)whether the carrier has filed a police report or has notified a regulatory, government, or law enforcement agency and, if so, when the notification was provided;
(7)a description of the specific types of information acquired without authorization and, more specifically, particular data elements, such as types of medical information, types of financial information, or types of information allowing identification of the consumer;
(8)the period during which the information system was compromised by the cybersecurity event;
(9)the number of total consumers in the State affected by the cybersecurity event, with the carrier providing:
(i)the best estimate of this number in its initial report to the Commissioner; and
(ii)an updated estimate of this number in each subsequent report to the Commissioner in accordance with this section;
(10)the results of any internal review:
(i)identifying a lapse in either automated controls or internal procedures; or
(ii)confirming that all automated controls or internal procedures were followed;
(11)a copy of the carrier’s privacy policy and a statement outlining the steps the carrier will take to investigate and notify consumers affected by the cybersecurity event; and
(12)the name of a contact person who is both familiar with the cybersecurity event and authorized to act for the carrier.
(c)A carrier shall provide the information required under this section in electronic form as directed by the Commissioner.
(d)A carrier shall have a continuing obligation to update and supplement initial and subsequent notifications to the Commissioner concerning the cybersecurity event.
(e)A carrier shall comply with § 14–3504 of the Commercial Law Article, as applicable, and provide a copy of the notice sent to consumers under that section to the Commissioner.
(f)If a managed care organization conducts an investigation as required by the Maryland Department of Health in accordance with the managed care organization’s contract with the Maryland Department of Health and determines that a cybersecurity event has occurred, the managed care organization shall provide to the Commissioner copies of all notices and reports provided to the Maryland Department of Health at the same time and in the same manner that the managed care organization provides the notices and reports to the Maryland Department of Health.