S. 335 was introduced this week in the Senate. This is simply a set of proposals that may be changed during the legislative process. I look forward to the debate.
CYBER SECURITY AND IDENTITY THEFT PROTECTIONS BILL
I. Whereas Clauses Sets forth the necessity for the bill (primarily relating to the cyber security breach at DOR) based on subcommittee findings, including:
The period of time that lapsed between the beginning of the hackers attack and discovery of the breach and the disconnect in the organizational structure of DOR; The need for “identity theft” protections for affected citizens beyond the expiration of the one-year Experian contract; and The need for a centralized statewide cyber security program with the authority to establish standard practices and policies among all state agencies related to information security.
II. Section 1-Lifetime Protection & Fraud Resolution Services to Eligible Persons as a result of the DOR Cyber Security Breach
Requires the Governor to develop a protection plan with “identity theft” services free of charge to eligible citizens affected by the DOR breach. Taxpayers, excluding those enrolled in free state protection or those claiming as business expense (can’t double dip), are eligible for a tax deduction if they purchase their own protection (capped at $200 or individuals and $300 for joint returns or returns with dependents). This deduction sunsets after the 2018 tax year.
Requires the Governor to develop a policy to protect personally identifiable information at DOR.
Mandates that no service may be procured for a cost if the same service is available to eligible persons for free under state or federal law.
Requires that any contract entered into by the Governor not exceed a term of 5 years and requires the Governor, upon expiration of any contract, to issue a report to the General Assembly with findings and recommendations concerning the ongoing risk to eligible persons. Based on the report, the Governor may extend services for an additional period of up to 5 years. The bill, therefore, authorizes the provision of services and protection for up to 10 years.
Requires any contract entered into by the Governor to be procured through MMO following standard procurement processes.
Requires the Governor to include the estimated costs of implementation in the executive budget and any agency charged with implementing any portion of the plan to account for its estimated expenses in their annual budget request.
III. Section 2-Creation of an Identity Theft Unit within the Department of Consumer Affairs
Establishes the Identity Theft Unit in order to educate the public regarding identity theft and fraud and provide identity theft and fraud resolution services to victims.
Provides that the Identity Theft Unit will work with law enforcement agencies, track statistical data relating to instances of identity theft and fraud, and will submit an annual report with recommended changes to law, including the State’s Consumer Protection Code, that would reduce instances of identity theft and fraud.
IV.Section 3-Creation of the Department of Information Security
Establishes the Chief Information Security Officer (CISO) of the State as the Director of the cabinet-level Department of Information Security, who shall serve for 4-year terms.
Requires the Department to develop statewide policies, standards, programs and services related to cyber security and information systems.
Authorizes the CISO to develop salaries and compensation plans for IT employees at the Department to be competitive with the private sector.
Requires all agencies to adopt and implement the policies established by the CISO and to provide all information requested of the CISO.
V. Section 4-Creation of the Technology Investment Council
Establishes a seven-member council consisting of the director of DSIT, the CISO, and appointees of the Governor, Pres. Pro Tempore of the Senate, Speaker of the House, Chairman of Senate Finance and Chairman of House Ways and Means.
Responsible for the publication of an annual statewide technology plan with recommendations regarding funding of technology for each fiscal year.
Responsible for overseeing the enforcement of active projects and developing minimum standards required for technology projects.
VI. Section 5-Creation of the Joint Information Security Oversight Committee
Establishes a nine-member joint oversight committee consisting of the CISO and appointees of the Governor (2), Pres. Pro Tempore of the Senate, Speaker of the House, Chairman of Senate Finance (2) and Chairman of House Ways and Means (2).
Requires the Committee to continually study state cyber security laws in order to make recommendations, through an annual report, for modifications to such laws.