Maryland looks at package of cybersecurity bills, introduces cybersecurity tax credit

Binary matrix with glowing security lock

State Senator Catherine E. Pugh and the Commission on Maryland Cybersecurity Innovation and Excellence have introduced four bills in this legislative session, and Governor Martin O’Malley has announced a package of initiatives designed to further Maryland’s leadership as a hub for cybersecurity jobs.

In the proposed FY2014 budget, the Governor unveiled a $3 million investment to create a new Cybersecurity Tax Credit to leverage Maryland’s assets for job creation, opportunity, and economic growth. Designed to stimulate private investment in early-stage cybersecurity technology companies in Maryland, the program is modeled after the Biotechnology Investment Incentive Tax Credit, and provides a 33% refundable tax credit for qualified investors in seed- and early-stage cybersecurity companies.

Today, Governor O’Malley also announced Jeani Park as Maryland’s Director of Cyber Development. Park will lead the Administration’s efforts to position Maryland as the epicenter of cybersecurity activity, supporting product development, education and talent; working to attract new cyber companies and investors to Maryland; encouraging the continued expansion of cybersecurity programs and assisting start-up cyber firms.

Park will also work with Gaithersburg-based National Institute of Standards and Technology (NIST) to develop the National Cyber Center of Excellence, and coordinate the third annual CyberMaryland Conference in October with the Federal Business Council and other partners.

In terms of the bills, the package of legislation introduces provisions for personal information protection, and medical record identity fraud.

SB 859 increases the duties imposed on private businesses under Maryland’s Personal Information Protection Act (PIPA), and expands the definition of personal identifying information. The expanded definition now includes any information about a given individual that may expose them whether that information was originally encrypted or not. SB 859 also adopts a new category of private information which includes – social security numbers,passport numbers, or other identification numbers and places greater responsibility on business to protect those numbers as well. The bill is currently in the rules committee and no schedule has been released yet.

SB 591 essentially makes the rules for businesses as defined under PIPA carry for Maryland government offices as well, although the definitions of identifying information are somewhat more narrow. The bill has a piece of partner legislation – SB 676 – which essentially creates an expanded definition framework around personal identifying information protection to harmonize rules with SB 859.

Finally, a fourth bill, SB 624, expands the state guidelines for identity fraud to include fraudulently accessing patients medical records. This bill also includes expanded definitions of personal identifying information and according to a client alert from US law firm, Venable, expands the understanding of identity theft to include: “(i) knowingly, willfully, and with fraudulent intent possessing, obtaining, or helping another to possess or obtain personal identifying information to access medical information or services; (ii) knowingly and willfully assuming the identity of another to access medical information or services; and (iii) knowingly, willfully, and with fraudulent intent accessing medical information or services, skimming personal identifying information from the magnetic strip of a credit card, or re-encoding the magnetic strip of a credit card onto another card, in either case without the consent of the cardholder.”

This bill will go up for a hearing on February 27,2013.

As CivSource, has reported, cybersecurity is one of the key focus areas for state legislatures as the frequency and sophistication of attacks continues to rise. According to the 2012 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study, only 24% of chief information security officers (CISOs) at the state and local level are very confident in their states’ ability to guard data against external threats. State CISOs said in the study that more education and outreach is needed up and down the chain in order to make sure enough budget dollars and man power are going to protect high value personal, and government information from attack.

Taken together, the initiatives proposed by Governor O’Malley and the legislation package may be a model for other states. Maryland is simultaneously building out private sector jobs in this high demand space while also taking early steps to protect more personal identifying information and increase the compliance responsibilities for businesses that hold virtually any type of potentially identifying information on individual users.

“Creating jobs is our top priority,” said Governor O’Malley. “The most important assets we have to make Maryland the epicenter of cybersecurity and expand our Innovation Economy are the talents, skills, education, and creativity of our people.”