Ask Reggi Your Question Now
Can I avoid having a data breach response plan in Maryland? What are the requirements?
Data Breach Response Plan Requirements in Maryland
Maryland law requires certain entities to have a data breach response plan in place. The requirements vary depending on the type of entity and the type of data involved.
Entities Required to Have a Data Breach Response Plan
- Insurers: Insurers in Maryland are required to maintain appropriate records for the Commissioner to determine the effectiveness of their antifraud plan. They must file a report with the Administration by March 31 of each year, reporting the previous year’s statistics, including the number of suspected fraud cases reported to the authorities [1.1].
- Utilities: All utilities in Maryland must report confirmed cybersecurity breaches of a smart grid system, information technology system, or operations technology system to a Commission-designated representative without divulging energy/electric infrastructure information, as defined by 18 CFR §388.113, no later than 1 business day after confirmation, unless prohibited or recommended by law enforcement to avoid compromising an investigation [2.1].
- The Center: The Center’s Executive Director shall require all authorized staff of the Center to comply with the rules of security behavior that are provided to staff, receive and review the MLDS Center’s Data Security and Safeguarding Plan, and periodically take security and privacy training classes. The Executive Director shall remove a staff member’s system access if the staff member fails to remain in compliance with the requirements [3.1].
- Health Information Exchanges (HIEs): HIEs in Maryland must provide notification of breach and, if applicable, non-HIPAA violations pursuant to Maryland law. If the investigation concludes that there was a breach or non-HIPAA violation, in addition to applicable HIPAA notification requirements, the HIE shall notify the person who notified the HIE of the potential breach or non-HIPAA violation, any participating organization that has provided health information regarding the health care consumer involved, and each patient or person in interest acting on behalf of each patient whose PHI or sensitive health information was inappropriately accessed or disclosed due to a breach or non-HIPAA violation [4.1].
Data Breach Response Plan Requirements
Maryland law does not have a specific set of requirements for a data breach response plan. However, entities required to have a plan must comply with the notification requirements of applicable federal and State laws, including HIPAA and the HITECH Act [4.1].
Relationship to Maryland Laws
Maryland law related to medical records, health information privacy, or insurance information privacy is not preempted or superseded by this chapter [5.1].
Conclusion
Entities such as insurers, utilities, The Center, and HIEs are required to have a data breach response plan in Maryland. While there are no specific requirements for the plan, entities must comply with the notification requirements of applicable federal and State laws.
Source(s):
- [1.1] Reporting of Fraud-Related Data.
- [2.1] Cybersecurity Breach Reporting.
- [3.1] Security Requirements.
- [4.1] Notice of Breach and non-HIPAA Violation.
- [5.1] Relationship to Maryland Laws.
Jurisdiction
Maryland