Skip to main content
Find a Lawyer

Maryland Code, Insurance § 33-105

Current as of January 01, 2025 | Updated by Findlaw Staff

(a) A carrier shall notify the Commissioner as promptly as possible but in no event later than 3 business days from a determination that a cybersecurity event has occurred when either of the following criteria has been met:

(1)(i) the State is the carrier's state of domicile; and

(ii) the cybersecurity event has a reasonable likelihood of harming a consumer residing in the State or any material part of the normal operations of the carrier; or

(2) the carrier reasonably believes that the nonpublic information involved is of 250 or more consumers residing in the State and either of the following circumstances is present:

(i) a cybersecurity event impacting the carrier has occurred for which notice must be provided to a government body, self-regulatory agency, or any other supervisory body under state or federal law; or

(ii) a cybersecurity event has occurred that has a reasonable likelihood of materially harming:

1. a consumer residing in the State; or

2. a material part of the normal operation of the carrier.

(b) The carrier shall provide as much of the following information as reasonably possible:

(1) the date of the cybersecurity event;

(2) a description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any;

(3) how the cybersecurity event was discovered;

(4) whether any lost, stolen, or breached information has been recovered and, if so, how this was done;

(5) the identity of the source of the cybersecurity event;

(6) whether the carrier has filed a police report or has notified a regulatory, government, or law enforcement agency and, if so, when the notification was provided;

(7) a description of the specific types of information acquired without authorization and, more specifically, particular data elements, such as types of medical information, types of financial information, or types of information allowing identification of the consumer;

(8) the period during which the information system was compromised by the cybersecurity event;

(9) the number of total consumers in the State affected by the cybersecurity event, with the carrier providing:

(i) the best estimate of this number in its initial report to the Commissioner; and

(ii) an updated estimate of this number in each subsequent report to the Commissioner in accordance with this section;

(10) the results of any internal review:

(i) identifying a lapse in either automated controls or internal procedures; or

(ii) confirming that all automated controls or internal procedures were followed;

(11) a copy of the carrier's privacy policy and a statement outlining the steps the carrier will take to investigate and notify consumers affected by the cybersecurity event; and

(12) the name of a contact person who is both familiar with the cybersecurity event and authorized to act for the carrier.

(c) A carrier shall provide the information required under this section in electronic form as directed by the Commissioner.

(d) A carrier shall have a continuing obligation to update and supplement initial and subsequent notifications to the Commissioner concerning the cybersecurity event.

(e) A carrier shall comply with § 14-3504 of the Commercial Law Article, as applicable, and provide a copy of the notice sent to consumers under that section to the Commissioner.

(f) If a managed care organization conducts an investigation as required by the Maryland Department of Health in accordance with the managed care organization's contract with the Maryland Department of Health and determines that a cybersecurity event has occurred, the managed care organization shall provide to the Commissioner copies of all notices and reports provided to the Maryland Department of Health at the same time and in the same manner that the managed care organization provides the notices and reports to the Maryland Department of Health.

Previous Part of Code Next Part of Code
Back to Chapter List

Cite this article: FindLaw.com - Maryland Code, Insurance § 33-105 - last updated January 01, 2025 | https://codes.findlaw.com/md/insurance/md-code-insurance-sect-33-105/

FindLaw Codes may not reflect the most recent version of the law in your jurisdiction. Please verify the status of the code you are researching with the state legislature before relying on it for your legal needs.

Was this helpful?

Welcome to FindLaw's Cases & Codes

A free source of state and federal court opinions, state laws, and the United States Code. For more information about the legal concepts addressed by these cases and statutes, visit FindLaw’s Learn About the Law.

Go to Learn About the Law

Latest Blog Posts

For Legal Professionals

Learn About The Law

Get help with your legal needs

FindLaw’s Learn About the Law features thousands of informational articles to help you understand your options. And if you’re ready to hire an attorney, find one in your area who can help.

Go to Learn About the Law

Need to Find an Attorney?

Search our directory by legal issue

Enter information in one or both fields (Required)

Copied to clipboard