Sec. 09.03.06.24. Data Protection  

A. A licensee that adequately demonstrates compliance with the federal Interagency Guidelines Establishing Information Security Standards, 12 CFR Part 30, Appendix B, as it may be amended from time to time, shall be deemed to be in compliance with §§B-G of this regulation.

B. A licensee shall develop, implement, and maintain a comprehensive information security program that is commensurate with the licensee’s size and complexity, the nature and scope of the licensee’s activities, and the sensitivity of any customer information at issue.

C. A licensee’s information security program shall consider the following objectives:

(1) Ensuring the security and confidentiality of customer information;

(2) Protecting against any anticipated threats or hazards to the security or integrity of such information; and

(3) Protecting against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

D. Governance over Information Technology.

(1) A licensee shall have an established governance process in place to control and monitor information security.

(2) The governance process shall include, as appropriate for the size and complexity of the licensee and its information technology systems:

(a) The establishment of policies and procedures related to information technology approved by the board of directors, ownership, or most senior level of management; and

(b) A management structure that encompasses:

(i) Assigning responsibilities and authorities for ensuring adherence to information technology policies and procedures;

(ii) Documenting accountability for functions to ensure compliance with information technology policies and procedures; and

(iii) Reporting to the board of directors, ownership, or most senior level of management, no less than annually, regarding the effectiveness of the information technology policies and procedures.

E. Information Technology Security Risk Assessment.

(1) A licensee shall complete an information technology security risk assessment on a periodic basis, but not less than once every 3 years.

(2) A licensee’s security risk assessment shall include:

(a) Identification of the data and information systems that need to be protected;

(b) Classification and ranking of sensitive data, systems, and applications; and

(c) Identification and assessment of threats and vulnerabilities.

F. Information Technology Security Testing and Monitoring.

(1) A licensee shall perform periodic testing and monitoring of information technology security controls as appropriate for the size and complexity of the licensee’s information technology systems.

(2) A licensee’s periodic testing and monitoring of information technology security controls shall include:

(a) Evaluating the effectiveness of existing internal controls;

(b) Taking corrective action to address any significant deficiencies identified during the course of licensee’s evaluation of the effectiveness of existing internal controls;

(c) Monitoring of external sources for new vulnerabilities; and

(d) Developing and implementing additional control frame works for any new or changed threats or risks identified by the licensee.

G. Third Party Provider Oversight. A licensee shall oversee third party service providers by:

(1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and

(2) Requiring service providers by contract to implement and maintain such safeguards.

H. Reporting Obligations. A licensee shall provide notice of a breach of the security of a system to the Commissioner prior to giving the notice required by Commercial Law Article, §14-3504(b), Annotated Code of Maryland.

I. Record Retention. A licensee shall provide copies of risk assessments under §E of this regulation and results of periodic testing under §F of this regulation to the Commissioner upon request.