Statutes, codes, and regulations
Maryland Administrative code
Title 20 - PUBLIC SERVICE COMMISSIONSubtitle 06 - CYBERSECURITY
Chapter 20.06.01 - General
Section 20.06.01.05 - Cybersecurity Incident Reporting

Md. Code Regs. 20.06.01.05

Download
PDF
Current through Register Vol. 52, No. 1, January 10, 2025
Section 20.06.01.05 - Cybersecurity Incident Reporting
A. All public service companies shall report cybersecurity incidents no later than 24 hours to the State Security Operations Center according to the method specified by the Maryland Department of Information Technology. Public service companies shall include in such reports the following information:
(1) Contact information;
(2) Type and size of the organization;
(3) Start and end time of the incident;
(4) Generalized narrative of the incident;
(5) Degree or scope of impact from the incident on delivery of utility operation or service;
(6) Type and amount of involved utility customer information that was or may have been impacted pursuant to Commercial Law Article, § 14-3501 et seq., Annotated Code of Maryland; and
(7) A follow up report, typically within 30 days, if further impact or exposure is discovered requiring revision of previous reported scope and impact.
B. The State Security Operations Center shall notify appropriate entities of a cybersecurity incident reported, as required by Public Utilities Article, §5-306(d)(3), Annotated Code of Maryland, including the Commission. The Commission's Office of Cybersecurity shall notify such additional representatives as the Commission designates.
C. Depending on the circumstances of the cybersecurity incident, the public service company may be requested to provide additional cybersecurity incident related information to either the Department of Information Technology or the Office of Cybersecurity, which may not be unreasonably denied unless this information is superseded by applicable federal cybersecurity standards and regulations that prohibit such disclosures.
D. The details of a public service company incident report may not be divulged except as directed by the Commission, or a court, as authorized by law, or as required by Public Utilities Article, §5-306(d)(3), Annotated Code of Maryland. The Office of Cybersecurity shall promptly notify a public service company upon the discovery of any unauthorized access, compromise, loss, or exfiltration of the public service company's cybersecurity incident information.

Md. Code Regs. 20.06.01.05

Regulation .05 adopted effective 49:15 Md. R. 739, eff. 7/25/2022; amended effective 51:24 Md. R. 1081, eff. 12/12/2024.