Maryland fails national cybersecurity study

Daily Record, The (Baltimore), Apr 25, 2003 by Bobby White

A national study examining where states are in their compliance with recent regulations on cybersecurity has a few Maryland officials up in arms over some of its conclusions.

The report said only 14 states actually have come into the fold, adopting and implementing laws requiring insurance and financial institutions to protect their electronic data from hacking. Maryland was not one of them.

The report -- using a state's outlook on governing cybersecurity within finance and insurance -- gauged a state's overall aggressiveness towards cybersecurity.

The study was conducted by Zeichner Risk Analytics, a Virginia consulting group that specializes in business assurance.

The firm wanted to see how many states were in compliance with policies mandated by the Gramm-Leach-Bliley Act of 1999. A key provision of the act provided that financial and insurance institutions secure the sensitive information they have on consumers.

Congress also specifically required federal and state lawmakers to prepare cybersecurity regulations for the financial and insurance institutions.

The report classified states into three categories: states in absolute compliance, states with pending legislation and states with little or no cybersecurity activity. Maryland was placed in the last category.

The importance of governing an institutions' electronic security was highlighted in February when 8 million credit card account numbers were accessed -- Visa, MasterCard and American Express accounts were involved -- by breaching the security of a company that processes transactions for merchants.

"A lot of comments were made in the report that were misleading," said Carmella Thompson, who overlooks electronic security for Maryland. "I am not sure why it was worded the way it was. It does not reflect what the state is doing."

Thompson said the state was very active in its efforts and that using how the state governs its insurance and financial institutions' electronic databases was a faulty way to examine Maryland's actions in cybersecurity.

Thompson pointed to the recent appointment of Gov. Robert Ehrlich Jr. to a national advisory panel on cybersecurity as an obvious statement of the state's actions. In late March the White House announced that Ehrlich was among those appointed to the National Infrastructure Advisory Council.

Thompson works out of the Office of Information Technology which comes under the umbrella of the Department of Budget Management. She said during the past few years there has been a lot of change in administration and management which has somewhat contributed to a less-than-stellar report card on IT.

"I would say we are moving in the right direction. It takes time and money," she said.

The state has not had an official chief information officer since last fall when Linda Burek held the position. Tom Lee, assistant secretary for Budget Management, is the interim CIO, but he plans to retire soon.

The flip-flop from surplus to deficit with the state's budget as well as new legislators in office have put state IT issues on hold.

The report's co-author stood by his findings. Lee M. Zeichner said he wanted to stay away from a value judgment and let the findings speak for itself.

He did say that in putting together the report he began to take note on how state legislators operate.

"This is a very serious issue -- privacy and security -- but the way some states are going about dealing with it is flawed. A part of the problem is state legislatures do not meet fulltime," he said.

"States need to coordinate into a national process. A state like Maryland has a very sophisticated infrastructure and it needs to leverage the work already being done," he said.

He said the state should work with others to create a single nationwide process for developing cybersecurity laws and policies.