Cyberattacks are threatening businesses and governments more than ever, and state legislatures nationwide are scrambling to enact stricter cybersecurity laws. To date, 19 states have either signed or passed comprehensive consumer privacy bills. For cybersecurity professionals, this constantly shifting landscape can make compliance feel like a moving target. Rather than reacting to each new regulation, proactive cybersecurity professionals can get ahead with some well-planned strategies to ensure their organizations remain protected, despite the dynamic environment.
Understanding the Changing Landscape
State cybersecurity legislation is a rapidly evolving landscape, and several recurring themes are emerging.
Firstly, recent legislative activity reveals a growing trend towards strengthening and expanding existing breach notification requirements. For example, some states have expanded the categories of businesses that must comply with breach notification mandates, ensuring protection across various sectors. Several states are also lowering the threshold for the number of individuals affected before a notification becomes mandatory. Furthermore, some states are specifying the methods used for notification, such as requiring both written and electronic communication formats.Â
Inspired by the landmark legislation in California, the landscape of data privacy laws in the US remains a patchwork of comprehensive laws and sector-specific regulations. While a growing number of states now have thorough data privacy regulations similar to the CCPA/CPRA, others focus on protecting privacy in specific sectors, such as with the privacy of children’s data, health data, or financial data. There is momentum around the protection of personal data across the nation, but with a diverse array of approaches by individual states.
Recognizing the critical role of proactive cybersecurity measures, more states are mandating that businesses conduct regular cybersecurity risk assessments. These assessments identify vulnerabilities in systems and data, allowing organizations to prioritize mitigation strategies and strengthen their overall security posture.
Building on that point, several states are mandating cybersecurity awareness training for employees. For example, Massachusetts amended its Data Security Law (201 CMR 17.00) last year to require covered organizations to implement a comprehensive security awareness program for employees.Â
State vs. Federal Cybersecurity Laws
While state and federal laws may differ, they generally work conjunctively to build a comprehensive cybersecurity framework. Organizations must comply with both sets of regulations depending on their industry, location, and data collection practices. Staying informed about the latest updates in both spheres is crucial for ensuring compliance and safeguarding sensitive information.
Federal legislation provides a critical foundation for cybersecurity across various sectors. For example, the FTC Act grants the FTC broad authority to regulate unfair and deceptive business practices, including those related to data security. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to implement safeguards to protect customer data. And the Health Insurance Portability and Accountability Act (HIPAA) protects the privacy and security of individually identifiable health information.
While these federal laws provide a baseline level of protection for sensitive data across specific industries or nationwide, they often leave room for interpretation and may not address the full spectrum of evolving cyber threats, which is where state legislation comes in.
Today, more states are taking an increasingly active role in regulating cybersecurity to complement federal legislation. For example, California’s CCPA and CPRA set a precedent for comprehensive data privacy laws, influencing other states like Virginia and Colorado. States like New York and Maryland have enacted laws specific to safeguarding critical infrastructure within their borders. Additionally, several states are introducing legislation requiring businesses to assess and manage cybersecurity risks associated with their third-party vendors.
Understanding the distinct roles and areas of focus of both federal and state cybersecurity laws allows organizations to navigate the complex regulatory landscape effectively.
Steps You Can Take Today
While the specific requirements differ by state and industry, proactive organizations can take several key steps today to prepare for the evolving landscape of state cybersecurity compliance, including:
- Identify where your risk is – Both technical and human risks are expanding. Regular risk assessments form the basis for a strong compliance framework. You don’t need to wait for state regulations to take action.
- Prioritize data security: No matter where your data resides, it needs to be protected. It doesn’t matter if you run a multi-national organization or a 10-person startup. You must consider where sensitive data is created, where it travels, and how it’s ultimately destroyed.
- Create a plan: Proactively craft communication plans and action plans in the event of a data breach. Having established procedures before a breach occurs saves precious time and mitigates financial and reputational damage.Â
Building a Secure Future Through Proactive Compliance
Embracing a preemptive approach to cybersecurity compliance offers a multitude of benefits that extend beyond simply meeting regulatory requirements. By demonstrating a proactive commitment to security, you can significantly protect your reputation, fostering trust and confidence with investors, customers, and partners alike. Potential fines for non-compliance, coupled with the significant costs associated with a successful data breach, can be crippling for businesses. Conversely, a strong cybersecurity posture can provide a competitive advantage, particularly in security-sensitive industries like healthcare and finance. While staying ahead of the evolving regulatory landscape can be challenging, neglecting it leaves organizations vulnerable. By taking action today, you’ll be well-positioned to weather the coming wave of state cybersecurity regulations and build a more secure future for your organization.
Â
