In March 2018, Alabama and South Dakota passed laws mandating data breach notification for its residents.
The passage meant all 50 states, the District of Columbia and several U.S. territories now have legal frameworks that require businesses and other entities to notify consumers about compromised data.
All 50 states also have statutes addressing hacking, unauthorized access, computer trespass, viruses or malware, according to the National Conference of State Legislatures (NCSL). Every state has laws that allow consumers to freeze credit reporting, too.
While those milestones are notable, there are broader issues when it comes to legislative approaches to cybersecurity across the United States. There are vast discrepancies and differences among states when it comes to cybersecurity protection.
What Laws Are on the Books About Cybersecurity?
In 2018, there were more than 275 cybersecurity-related bills introduced by state legislatures in 33 states, Washington, D.C., and Puerto Rico. The legislative action covers a broad range of cybersecurity topics, including:
For companies, especially those that work across state lines, the variances among state laws creates a challenge in tracking requirements and remaining legally compliant.
For example, while most states require immediate notification of a data breach “without unreasonable delay,” the deadlines are varied. Nine states require notification within 45 days, South Dakota allows 60 days and Tennessee allows as many as 90 days. In addition, most states require written notification while some allow for notification via telephone or electronic notice.
While states have focused much of their recent legislation on data privacy, there are many other components of cybersecurity. Again, there is no uniformity. In fact, most states do not have laws about other important cybersecurity issues:
While broader laws addressing malware or computer trespass may be used to prosecute some of these attacks, the discrepancies further illustrate the different approaches and terminology states use.
What States Have Strong Data Privacy Laws?
Here are a few examples of states that have strong legal provisions within their cybersecurity and privacy laws:
What States Have Weak Data Security Laws?
Despite the growing legislative controls on cybersecurity issues and public expectation for data privacy, there are many states that have laws that are lacking, including:
How Long Does a Company Need to Retain Personal Identifying Information?
Many companies struggle knowing when or if to hold onto personal information on consumers. The challenge is that laws vary greatly from state to state. As of January 2019, according to the NCSL, only 35 states have laws requiring businesses or government entities to destroy or dispose of this data at all.
Of those 35 states:
Where Is the Federal Government in Cybersecurity?
The federal government has many laws and rules regarding cybersecurity, from HIPAA to the Cybersecurity Information Sharing Act, which allows for the U.S. government and technology or manufacturing companies to share Internet traffic information.
Other proposed legislation has hit some roadblocks. Take the Data Acquisition and Technology Accountability and Security Act, which would have established a national data breach reporting standard. State attorneys general strongly opposed the legislation, introduced in March 2018. The 32 state AGs argued that the bill would weaken consumer protections, make state laws stronger, and exempt too many companies.
For companies, the variances from state to state present a complex technical challenge. To remain compliant, they need policies, tools and solutions that ensure data is protected and secure.
Managed service providers (MSPs) offer a powerful option to address many data issues. MSPs provide cloud-based, off-site, secure data storage and automated backups. Data, systems and networks are monitored 24/7 to detect and remove unwanted activity. The advanced firewalls, enterprise-strength anti-virus tools and employee education that MSPs provide help maintain compliance and keep data safe from the attacks that trigger responses.
The growth of state legislation to address cybersecurity issues is welcome. The challenge for companies is finding a reliable solution that allows for responsive and responsible action.