In March 2018, Alabama and South Dakota passed laws mandating data breach notification for its residents.
The passage meant all 50 states, the District of Columbia and several U.S. territories now have legal frameworks that require businesses and other entities to notify consumers about compromised data.
All 50 states also have statutes addressing hacking, unauthorized access, computer trespass, viruses or malware, according to the National Conference of State Legislatures (NCSL). Every state has laws that allow consumers to freeze credit reporting, too.
While those milestones are notable, there are broader issues when it comes to legislative approaches to cybersecurity across the United States. There are vast discrepancies and differences among states when it comes to cybersecurity protection.
What Laws Are on the Books About Cybersecurity?
In 2018, there were more than 275 cybersecurity-related bills introduced by state legislatures in 33 states, Washington, D.C., and Puerto Rico. The legislative action covers a broad range of cybersecurity topics, including:
Energy and critical infrastructure security
Government and private-sector security practices
Incident response remediation
For companies, especially those that work across state lines, the variances among state laws creates a challenge in tracking requirements and remaining legally compliant.
For example, while most states require immediate notification of a data breach “without unreasonable delay,” the deadlines are varied. Nine states require notification within 45 days, South Dakota allows 60 days and Tennessee allows as many as 90 days. In addition, most states require written notification while some allow for notification via telephone or electronic notice.
While states have focused much of their recent legislation on data privacy, there are many other components of cybersecurity. Again, there is no uniformity. In fact, most states do not have laws about other important cybersecurity issues:
Half the states have laws addressing denial-of-service attacks.
Just five states explicitly cite ransomware in statutes.
Phishing laws are in place in 23 states and Guam.
Twenty states, Guam and Puerto Rico have laws regarding spyware.
While broader laws addressing malware or computer trespass may be used to prosecute some of these attacks, the discrepancies further illustrate the different approaches and terminology states use.
What States Have Strong Data Privacy Laws?
Here are a few examples of states that have strong legal provisions within their cybersecurity and privacy laws:
Arkansas. Parental consent is required before student information can be shared with government agencies.
California. The state passed sweeping data privacy laws in 2018 requiring businesses to inform consumers of what personal information is being collected, disclosed or sold. The law, which goes into effect in 2020, contains provisions giving consumers the right to opt out of having their data sold to a third party. California is the only state with a constitutional declaration that data privacy is an inalienable right.
Delaware. Recently passed laws restrict advertising to children and protect the privacy of e-book readers.
Illinois. The state is the only one to protect biometric data.
Maine. It’s the only state that prohibits law enforcement from tracking people using GPS or other geo-location tools on computers or mobile devices.
Utah. The state is one of only two that requires ISPs to obtain customer consent before sharing customer data.
What States Have Weak Data Security Laws?
Despite the growing legislative controls on cybersecurity issues and public expectation for data privacy, there are many states that have laws that are lacking, including:
Alabama. There are no laws on the books that protect the online privacy of K-12 students.
Mississippi. To date, no laws exist that protect employee personal communications and accounts from employers.
South Dakota. Companies can retain personal information on employees indefinitely.
Wyoming. Employers can force employees to hand over passwords to social media accounts.
How Long Does a Company Need to Retain Personal Identifying Information?
Many companies struggle knowing when or if to hold onto personal information on consumers. The challenge is that laws vary greatly from state to state. As of January 2019, according to the NCSL, only 35 states have laws requiring businesses or government entities to destroy or dispose of this data at all.
Of those 35 states:
Only 14 require both businesses and government agencies to destroy or dispose of data.
Virginia requires government agencies only but excludes businesses.
Nineteen states do not require government agencies to dispose of or destroy personal information.
Where Is the Federal Government in Cybersecurity?
The federal government has many laws and rules regarding cybersecurity, from HIPAA to the Cybersecurity Information Sharing Act, which allows for the U.S. government and technology or manufacturing companies to share Internet traffic information.
Other proposed legislation has hit some roadblocks. Take the Data Acquisition and Technology Accountability and Security Act, which would have established a national data breach reporting standard. State attorneys general strongly opposed the legislation, introduced in March 2018. The 32 state AGs argued that the bill would weaken consumer protections, make state laws stronger, and exempt too many companies.
For companies, the variances from state to state present a complex technical challenge. To remain compliant, they need policies, tools and solutions that ensure data is protected and secure.
Managed service providers (MSPs) offer a powerful option to address many data issues. MSPs provide cloud-based, off-site, secure data storage and automated backups. Data, systems and networks are monitored 24/7 to detect and remove unwanted activity. The advanced firewalls, enterprise-strength anti-virus tools and employee education that MSPs provide help maintain compliance and keep data safe from the attacks that trigger responses.
The growth of state legislation to address cybersecurity issues is welcome. The challenge for companies is finding a reliable solution that allows for responsive and responsible action.