Maryland Statutes
Subtitle 1 - State Board
Section 2-108 - Report of Security Violation and Significant Attempted Security Violation Involving an Election System

(a)    (1)    In this section the following words have the meanings indicated.
        (2)    “Appropriate persons” means:
            (i)    the State Board;
            (ii)    the Governor;
            (iii)    the President of the Senate of Maryland;
            (iv)    the Speaker of the House of Delegates; and
            (v)    the Attorney General.
        (3)    “Election service provider” means any person providing, supporting, or maintaining an election system on behalf of the State Board or a local board, including a contractor or vendor.
        (4)    “Election system” means any information system used for the management, support, or administration of an election, including:
            (i)    the voting system;
            (ii)    the online voter registration system;
            (iii)    the voter registration database;
            (iv)    the online ballot request, delivery, or marking systems;
            (v)    the electronic pollbooks;
            (vi)    the system for tabulating or reporting election results; and
            (vii)    the State Board or local board e–mail system.
        (5)    “Security violation” means the incident categories defined by the Department of Information Technology in the State information security policy.
        (6)    “Significant attempted security violation” means an attempt to commit a security violation that:
            (i)    is known to have been committed by a foreign government or agents of a foreign government; or
            (ii)    the State Administrator considers to be of particular significance or concern.
    (b)    Within 7 days after becoming aware of a security violation or significant attempted security violation, the State Administrator shall submit to the Department of Information Technology and the appropriate persons a report on each security violation and significant attempted security violation involving an election system:
        (1)    owned, operated, or maintained by the State Board or a local board of elections; or
        (2)    provided, supported, or maintained by an election service provider.
    (c)    Within 7 days after receiving the State Board’s report submitted under subsection (b) of this section, the Department of Information Technology shall forward any additional relevant information to the appropriate persons and the State Administrator.
    (d)    Notwithstanding any other law, the Secretary of Information Technology may require that the information contained in a report submitted under subsection (b) of this section be withheld from the general public if the Secretary determines that the public interest is served by withholding the information.
    (e)    If an election service provider knows that a security violation or significant attempted security violation has occurred involving an election system provided, supported, or maintained by the election service provider, the election service provider shall:
        (1)    notify the State Administrator in writing as soon as practicable but not later than 4 days after becoming aware of the security violation or significant attempted security violation; and
        (2)    cooperate with the State Administrator in submitting the report required under subsection (b) of this section.