11.15.31.11

.11 Security Provisions.

A. General Characteristics. A contractor shall incorporate the following security measures into the host system and other components of the electronic system:

(1) The host system shall control the communications data flow between the Administration and the participant;

(2) Each participant's terminal shall be a termination point in the contractor's communication network; and

(3) A contractor shall notify each participant that the terminal may not serve as an intermediate communications mode for other remote networks.

B. Documentation.

(1) A contractor shall supply the Administration with current, reasonably detailed information regarding the electronic system, including:

(a) Hardware and software configuration diagrams containing functional system descriptions;

(b) Reasonably detailed descriptions of security functions, including password usage; and

(c) A network configuration diagram.

(2) A contractor shall supply documentation:

(a) For each type of system employed by the contractor, if more than one; and

(b) On any material change made in hardware or software that may affect the contractor, a participant, or access to Administration data.

(3) The Administration:

(a) Shall use the information under §B(1) and (2) of this regulation solely for internal audits, security audits, and technical testing with respect to the electronic system;

(b) Shall treat the information as computer software developed for a State agency or vendor proprietary software for purposes of General Provisions Article, Title 4, Annotated Code of Maryland; and

(c) May not disclose the information unless required to do so by judicial order.

C. Access.

(1) A contractor shall develop procedures to control access to the electronic system to participants who assure the Administration that access is:

(a) Available only to participants and users who have been authorized and accurately identified;

(b) Available to the Administration for open transactions within the contractor's system; and

(c) Monitored to ensure that all access is traceable by the Administration.

(2) The Administration shall allow authorized participants access only to the Administration's database files as necessary to process vehicle title and registration transactions.

(3) A participant, and its employees, may not sell or impart to any person, firm, or corporation any information obtained from Administration records, including listings of individuals, for any reason.

(4) Information obtained through this access is subject to the restrictions upon use and dissemination imposed by:

(a) General Provisions Article, Title 4, Annotated Code of Maryland;

(b) COMAR 11.17.10;

(c) COMAR 11.17.12;

(d) The Motor Vehicle Administration regulations on access to records in COMAR 11.11.09; and

(e) Any successor regulations adopted by the Administration concerning disclosure or dissemination of any information obtained from Administration records or files.

D. Confidentiality of Information and Computer Security.

(1) A contractor shall:

(a) Ensure the confidentiality and the nondisclosure of records described in this regulation; and

(b) Require each participant, as part of the participant's agreement, to implement procedures that ensure that:

(i) Terminals are not left unattended while logged on to the host system;

(ii) Terminals, including any monitor, printer, printout, or other form of display or duplication of vehicle record information, are placed to prevent the information from being viewed by unauthorized persons; and

(iii) Any printed copy of a vehicle record is destroyed when its legitimate use has ended;

(c) Configure the computer program to cause a terminal to log off automatically when no response or command is generated within a 15-minute time period; and

(d) Enforce these requirements by canceling access for any participant who does not uniformly comply with them.

(2) A participant is responsible for:

(a) Safeguarding the automated equipment which provides access to the electronic system;

(b) Limiting access to those persons who are authorized users of the electronic system and who have been properly instructed as to their duties and responsibilities as authorized users; and

(c) Using either an integrated terminal or one that is not used for any other purpose or in any other system.

(3) A participant shall implement procedures to ensure that:

(a) The automated equipment is located in an area that prevents information, including any printed copy of a vehicle record, from being viewed by persons who are not authorized users of the equipment; and

(b) Any printed copy of the information obtained from Administration files is destroyed when its legitimate use has ended.

(4) The contractor, participant, and their respective employees shall:

(a) Maintain information obtained from the program in strictest confidence, not to be disclosed to any other person, firm, or corporation;

(b) Limit access to and use of information and computer resources to program activities; and

(c) Be aware that the Administration adheres to:

(i) State policies for data processing resources security authorized by the Governor's Executive Order 01.01.1983.18; and

(ii) Criminal Law Article, §§7-302, 8-606, and 8-607, Annotated Code of Maryland.

(5) Failure of the contractor, participant, or any of their respective employees to abide by the same policies and statutes, as specified in §D(2) and (4) of this regulation, may result in the Administration prosecuting or seeking remedies made available to it by contract, user agreement, statute, or regulation.

(6) Other federal and State laws and regulations that affect the access to and use of computer information are the:

(a) U. S. Computer Crime Statute of 1984 (18 U.S.C. §1030);

(b) Federal Information Security Management Act of 2002 (44 U.S.C. §3541 et seq.);

(c) Privacy Act of 1974 (5 U.S.C. §552a);

(d) Federal Freedom of Information Act (5 U.S.C. §552) and General Provisions Article, Title 4, Annotated Code of Maryland;

(e) Computer Fraud and Abuse Act of 1986 (18 U.S.C. §1030 et seq.);

(f) National Driver Register Act of 1982 (49 U.S.C. §30301 et seq.);

(g) Computer Software Rental Amendments Act of 1990 (17 U.S.C. §109);

(h) Fair Credit Reporting Act (15 U.S.C. §1681 et seq.);

(i) Driverís Privacy Protection Act of 1994 (18 U.S.C. §2721 et seq.); and

(j) National Institute of Standards and Technology Act (15 U.S.C. §271 et seq.).