Cybersecurity legislation by state 2019
Security regulations are on the rise. Just this month, news broke out regarding a government agency's proposal to make service providers share the contact information for owners of vulnerable devices and earlier this year, the UK Government proposed a set of consumer IoT security regulations. Such security-focused movements are being seen at the state-level too. Here's a roundup of some of the latest security laws enacted by states this year.
House Bill No. 4806 | Enacted: January 10th | Massachusetts | U.S.
Requires business to disclose security breach notifications and to offer free credit monitoring services for at least 18 months following a security breach to any residents who were/may have been affected. Also amends the content requirements of said security breach notifications to include disclosure of the person responsible for the breach, contact information of the entity that experienced/reported the breach, type of personal information compromised, details on the entity's standing information security program, and a copy of the notice sent to state residents.
Senate Bill No. 2110 | Enacted: April 11th | North Dakota | U.S.
Authorizes the state information technology department to advise and oversee cybersecurity strategy for all branches of state agencies, including: political subdivisions, Attorney General, local government, and school districts.
Senate Bill No. 52 | Enacted: May 10th | New Jersey | U.S.
Establishes credentials used for any online personal or business account as personal information subject to state breach notification laws. Account information can include: social security number, driver's license number, state identification card number, account number, credit/debit card number in combination with any PIN, access code, or password that would permit access, username or email address in combination with any password or security question that would permit access, and any dissociated data that, if linked, would constitute as personal information.
House Bill No. 166 | Enacted: July 18th | Ohio | U.S.
Establishes funds for cybersecurity initiatives, such as establishing cyber range: "The cyber range provides cyber training and education to K-12 students, higher education students, Ohio National Guardsmen, federal employees, and state and local government employees," and provides emergency preparedness exercises and trainings as well.
Senate Bill No. 5575 | Enacted: July 25th | New York | U.S.
Known as the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, this bill requires businesses to have reasonable security measures for personal information and to deliver notification to affected parties. Depending on the size of the business violation, fines can result in $5,000 per violation or $20 per notification failure, with a limit of $250,000. This law reaches any business that conducts business activity in the state of New York; the business need not physically reside in New York state.
Senate Bill No. 46 | Enacted: August 1st | Louisiana | U.S.
Known as the Louisiana Cybersecurity Information Sharing Act, this bill authorizes entities to "monitor, share, and receive certain information relative to cyber threats" and "to provide relative to certain security and information controls; to provide for definitions; to provide for confidentiality of certain information; to provide with respect to evidence; to provide with respect to data breach notification; to provide for legal protections and privileges; and to provide for related matters." This bill falls in line with the Federal Cybersecurity Information Sharing Act of 2015.
Legislative Document No. 946 | Enacted: June 6th | Maine | U.S.
Known as An Act To Protect the Privacy of Online Customer Information, this bill "prohibits a provider of broadband internet access service from using, disclosing, selling, or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale, or access." ISPs are also prohibited from refusing to serve a customer if they do not wish to give consent for the use, disclosure, sale, or access of their personal information.
Senate Bill No. 220 | Enacted: October 1st | Nevada | U.S.
Revises a current law requiring websites and online services that collect Personally Identifiable Information (PII) to give notice as to what they are collecting to state consumers. The new law requests operators to establish a designated request address for consumers to submit opt out requests for selling any of their collected PII. It is also authorized for the Attorney General to seek injunctions and/or civil penalties against any violators.
IoT security laws
House Bill No. 2395 | Enacted: June 10th | Oregon | U.S.
Requires persons that manufacturer, sells, or offers to sell IoT devices to add reasonable security features to the device. Such features should protect information that the device collects, contains, transmits, or stores while also protecting against unauthorized access, destruction, modification, use or disclosure of information. This law follows suit of California who became the first state to enact an IoT security law with Senate Bill No. 327 in 2018.