Which of the following acts defines and formalizes laws to counter threats from computer?

Overview

The COVID-19 pandemic caused disruption and major shifts in the way government and businesses operated in 2021. Cybersecurity risks increased due to the sudden move to a remote workforce that often had fewer and less robust security measures in place. Cybercriminals found ways to take advantage of these conditions and of people's fears related to the coronavirus.

Recent unprecedented cyberattacks, such as the Solarwinds incident, which breached many company and federal and state government systems, also have kept cybersecurity a priority for many state lawmakers. 

2021 Introductions

At least 45 states and Puerto Rico introduced or considered more than 250 bills or resolutions that deal significantly with cybersecurity. Some of the issues seeing the most legislative activity include measures:

• Requiring government agencies to implement cybersecurity training, to set up and follow formal security policies, standards and practices, and to plan for and test how to respond to a security incident.
• Regulating cybersecurity within the insurance industry or addressing cybersecurity insurance.
• Creating task forces, councils or commissions to study or advise on cybersecurity issues.
• Supporting programs or incentives for cybersecurity training and education. 

States are also addressing cyber threats through appropriations. Not all cybersecurity appropriations are listed here, although significant funding or funding for specific statewide mandates or state projects may be listed.

2021 Enactments

At least 36 states enacted bills in 2021 (indicated in boldface in list below). Among the bills enacted include those in about half the states that provide for strengthened security measures to protect government resources. Enacted legislation in Connecticut and Utah provide incentives for private sector entities to have reasonable security practices in place at the time of a breach. Georgia, Kansas, Michigan, Vermont and Washington passed bills to exempt certain cybersecurity information from disclosure under public records laws. At least six states--Hawaii, Iowa, Maine, Minnesota, Tennessee and Wisconsin--passed legislation related to insurance data security standards. Indiana and North Carolina passed legislation that expressly targets ransomware: Indiana requires reporting of ransomware incidents, and North Carolina became the first state to prohibit government entities from paying ransomware demands. Louisiana and Virginia adopted resolutions providing for cybersecurity studies.

Other related security issues include election security (see NCSL's Elections database) and cybersecurity threats to the energy infrastructure and other critical infrastructure (see NCSL's Energy Program resources). Other NCSL resources address related topics such as security breach laws and legislation, privacy and other issues. 

2021 Cybersecurity Legislation

Alaska

AK H.B. 3
Status: Pending--carryover
Relates to the definition of disaster.

Alabama

AL S.B. 165

Status: Failed--adjourned
Public records, Alabama Public Records Act created, method of request for public records and manner of appeal, established, Office of Public Access Counselor, established, Sections 36-12-40, 36-12-41 repealed.

Status: Enacted
Recognizes Cybersecurity Awareness Month in October 2021.

Arizona

AZ S.B. 1159
Status: Failed--adjourned
Relates to technical correction, relates to electromagnetic pulse preparedness.

Arkansas

AR H.B. 1110
Status: Enacted
Requires a state entity to report a security incident to the Legislative Auditor.

AR S.B. 149

Status: Enacted
Amends the Fair Mortgage Lending Act. Provides that a mortgage broker, mortgage banker, or mortgage servicer required to be licensed shall establish, implement, update, and enforce written physical security and cybersecurity policies and procedures reasonably designed to ensure the confidentiality, integrity, and availability of physical and electronic records and information.

Creates the state Cyber Advisory Council.

California

CA A.B. 128

Status: Enacted
Makes appropriations for the support of state government for the 2021-22 fiscal year, including $2,000,000 to be used to establish and operate the Office of Elections Cybersecurity. Activities performed by the Office of Elections Cybersecurity are intended to be specific to elections and shall be designed so as to minimize overlap and in coordination with statewide cybersecurity efforts performed by the California Cybersecurity Integration Center. Also appropriates up to $925,000 for the California Cybersecurity Integration Center. Information sharing by the California Cybersecurity Integration Center shall be conducted in a manner that protects the privacy and civil liberties of individuals, safeguards sensitive information, preserves business confidentiality, and enables public officials to detect, investigate, respond to, and prevent cyberattacks that threaten public health and safety, economic stability, and national security. Appropriates $10,000,000 to address deferred maintenance projects that represent critical infrastructure deficiencies.

Status: Failed (cybersecurity provisions below were amended out)
Adds the California Privacy Protection Agency as one of the organizations whose representatives comprise the California Cybersecurity Integration Center. Declares that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.

Status: Pending
Requires all state agencies, as generally defined, to review and implement specified National Institute of Standards and Technology (NIST) guidelines for, among other things, reporting, coordinating, publishing, and receiving information about a security vulnerability relating to information systems and the resolution thereof, no later than July 1, 2022.

Status: Failed 
Requires state agencies not covered by the policies and procedures issued by the Office of Information Security within the Department of Technology to adopt and implement information security and privacy policies, standards, and procedures based upon standards issued by the National Institute of Standards and Technology and the Federal Information Processing Standards.

Status: Failed 
Requires the Department of Fish and Wildlife to separately track and account for all revenues collected under the above filing fee provision and all costs incurred in its role as a responsible agency or trustee agency under the California Environmental Quality Act.

Status: Failed 
Authorizes the Military Department, at the request of a local educational agency, to perform an independent security assessment of the local educational agency, or an individual schoolsite under its jurisdiction, the cost of which to be funded by the local educational agency, as specified.

Status: Vetoed
Relates to emergency services. Includes a deenergization event, defined as a planned power outage, as specified, within those conditions constituting a state of emergency and a local emergency.

Status: Enacted
Expands the definition of sudden and severe energy shortage to include a deenergization event, defined as a planned power outage, as specified, and would make a deenergization event one of those conditions constituting a state of emergency and a local emergency.

Status: Pending
Includes an electromagnetic pulse attack among those conditions constituting a state of emergency or local emergency.

Colorado

CO H.B.1236
Status: Enacted
Concerns the modification of certain statutory provisions to reflect the current state information technology environment. Provides that the Colorado cybersecurity council may develop a whole-of-state cybersecurity approach for the state and for local governments, including the coordination and setting of strategic statewide cybersecurity goals, roadmaps, and best practices. The council also may review the need to conduct risk assessments of local government systems and providing additional cybersecurity services to local governments.

Connecticut

CT H.B. 5868

Status: Failed
Requires an online listing of all cyberattacks or data breaches in the state, establishes a central location that lists all cyberattacks or data breaches in the state.

Status: Failed
Creates a tax safe harbor for business entities adopting a recognizable best practice cybersecurity plan.

Status: Enacted
Concerns the Insurance Department's recommendations regarding the general statutes.

Status: Enacted
Incentivizes the adoption of cybersecurity standards for businesses by allowing businesses that adopt certain cybersecurity framework to plead an affirmative defense to any cause of action that alleges that a failure to implement reasonable cybersecurity controls resulted in a data breach concerning personal or restricted information.

Status: Failed
Requires the Public Utilities Regulatory Authority to apply net neutrality principles to broadband Internet access service providers and enforce such principles with civil penalties, directs the authority to conduct studies on cybersecurity and data privacy laws in the state, extends the crime of stalking in the second degree to certain electronic disclosures of personal identifiable information without consent.

Status: Failed
Establishes a task force to study and develop recommendations concerning protection from, and prevention of, cyber attacks.

Status: Failed
Concerns data privacy, net neutrality, cyber security and fairness in data usage in the new age of a digital workforce, protects the economy and online learning from data breaches and limits on broadband usage.

Florida

FL H 971
Status: Failed
Relates to public records, relates to consumer data privacy, provides exemption from public records requirements for information relating to investigations by Department of Legal Affairs and law enforcement agencies of certain data privacy violations, provides for future review and repeal, provides statement of public necessity.

FL H.B. 1137

Status: Enacted
Relates to information technology procurement, requires Department of Management Services (DMS) to establish project management and oversight standards for state agency compliance and perform project oversight on it projects, requires department to issue request for quotes to vendors approved to provide commodities or services, requires Department of Management Services (DMS) to prequalify firms and individuals to provide services on state term contract.

Status: Enacted
Relates to cybersecurity, requires audit plans of inspector general to include certain information, revises provisions to replace references to it and computer security with references to cybersecurity, provides and revises requirements for Department of Management Services, acting through State Digital Service, creates State Cybersecurity Advisory Council within Department of Management Services, provides purpose of council.

Status: Failed
Relates to General Appropriations Act, provides moneys for annual period beginning specified date, and ending specified date, and supplemental appropriations for period ending specified date, to pay salaries and other expenses, capital outlay-buildings and other improvements, and for other specified purposes of various agencies of state government.

Status: Failed
Relates to Information Technology Procurement, requires the Department of Management Services, through the Florida Digital Service, to establish certain project management and oversight standards for state agency compliance, requiring the department to perform project oversight on information technology projects that have total project costs of a certain amount or more.

Status: Failed
Relates to cybersecurity, requires certain audit plans of an inspector general to include certain information, revises provisions to replace references to information technology security and computer security with references to cybersecurity, provides that certain employees shall be assigned to selected exempt service, creates the Florida Cybersecurity Advisory Council within the Department of Management Services.

FL S.B. 7064
Status: Failed
Relates to public records/investigations by the department of legal affairs; provides an exemption from public records requirements for information relating to investigations by the Department of Legal Affairs and law enforcement agencies of certain data privacy violations; provides for future legislative review and repeal of the exemption; provides a statement of public necessity.

Status: Enacted
Relates to public records or social media platform activities, provides a public records exemption for information received by the Attorney General pursuant to an investigation by the Attorney General or a law enforcement agency into certain social media platform activities, provides a public records exemption for information received by the Department of Legal Affairs pursuant to an investigation by the department.

Georgia

GA H.B. 134

Status: Enacted
Relates to open and public meetings, so as to exclude meetings relating to cybersecurity contracting and planning from open meeting requirements, relates to inspection of public records, so as to provide an exemption for certain documents relating to cybersecurity plans and systems, provides for related matters, provides for an effective date, repeals conflicting laws.

Status: Enacted
Relates to military, emergency management, and veterans affairs, so as to provide for additional powers and duties related to homeland security and the military, facilitates the sharing of information and reporting of cyber attacks, requires governmental agencies and utilities to report any cyber attacks to the director of emergency management and homeland security, provides for certain reports and records related to cyber attacks to be exempt from public disclosure, relates to workforce development.

Status: Failed 
Relates to military, emergency management, and veterans affairs, so as to establish the State Cybersecurity Review Board, provides for membership and duties of the board, provides for definitions, requires the board, in conjunction with the Georgia Technology Authority, to establish cybersecurity training for employees of all state agencies, provides for adverse employment action if such training is not completed.

Status: Failed 
Relates to selling and other trade practices, so as to provide for legislative findings, provides standards for cybersecurity programs to protect businesses from liability, provides for affirmative defenses for data breaches of private information, provides for related matters, provides for an effective date, repeals conflicting laws.

Status: Failed 
Relates to selling and other trade practices, so as to provide for legislative findings, provides standards for cybersecurity programs to protect businesses from liability, provides for affirmative defenses for data breaches of private information, provides for related matters, provides for an effective date, repeals conflicting laws.

Hawaii

HI H.B. 454

Status: Failed 
Establishes an income tax credit for investment in qualified businesses that develop cybersecurity and artificial intelligence.

Status: Failed 
Requires manufacturers of connected devices to equip the devices with reasonable security features regarding information collected, unauthorized access, or the destruction or use of the devices.

Status: Failed 
(Governor Bill Package) Adopts the national conference of insurance commissioners' insurance data security model law to establish insurance data security standards for state insurance licensees.

Status: Failed 
(Governor Bill Package) Establishes the Hawaii state fusion center as a program under the office of homeland security as described in chapter 128a, Hawaii Revised Statutes, establishes the position of Hawaii state fusion center director.

Status: Failed 
Requires manufacturers of connected devices to equip the devices with reasonable security features regarding information collected, unauthorized access, or the destruction or use of the devices.

Status: Enacted
(Governor Bill Package) Enacts the National Association of Insurance Commissioners' Insurance Data Security Model Law to establish insurance data security standards for Hawaii insurance licensees.

Status: Failed 
(Governor Bill Package) Establishes the state fusion center as a program under the Office of Homeland Security, establishes the position of state state fusion center director who shall be state funded responsible to the Director of Homeland Security and accountable to manage the operations of the center.

Iowa

IA D 1335

Status: Failed 
Relates to standards for data security, and investigations and notifications of cybersecurity events, for certain licensees under the jurisdiction of the commissioner of insurance, makes penalties applicable, includes effective date provisions.

Status: Enacted
Relates to standards for data security, and investigations and notifications of cybersecurity events, for certain licensees under the jurisdiction of the Commissioner of Insurance, makes penalties applicable, includes effective date provisions.

Status: Enacted
Relates to appropriations to the justice system, gambling regulatory fees, and creating a bureau of cyber-crime, establishing a department of corrections survivor benefits fund, and including effective date and retroactive applicability provisions.

Status: Failed 
Relates to standards for data security, and investigations and notifications of cybersecurity events, for certain licensees under the jurisdiction of the Commissioner of Insurance, makes penalties applicable, includes effective date provisions.

Status: Failed
Relates to standards for data security, and investigations and notifications of cybersecurity events, for certain licensees under the jurisdiction of the Commissioner of Insurance, makes penalties applicable, includes effective date provisions.

Status: Failed 
Relates to standards for data security, and investigations and notifications of cybersecurity events, for certain licensees under the jurisdiction of the Commissioner of Insurance, makes penalties applicable, includes effective date provisions.

Idaho

ID H.B. 147
Status: Failed
Enacts the Insurance Data Security Act, establishes provisions regarding an information security program, provides for investigation and notice of a cybersecurity event, provides that the director of the department of insurance will have the power to examine and investigate certain matters, provides for confidentiality and sharing of documents, materials, and other information, provides exceptions, provides that the chapter does not create a private cause of action, provides for penalties.

Illinois

IL H.B. 1588

Status: Pending
Amends the Information Security Improvement Act, makes a technical change in a section concerning the short title.

Status: Pending
Amends the Local Records Act, provides that a unit of local government, acting through its governing board, may authorize the use of technology to execute its duties, or assist in the execution of certain portions of public duties, where those technologies utilize commonly accepted methods of data storage and cybersecurity, and the unit of local government otherwise continues adherence to the Local Records Act.

Status: Pending
Creates the Cybersecurity Compliance Act, creates an affirmative defense for every covered entity that creates, maintains, and complies with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of either personal information or both personal information and restricted information and that reasonably conforms to an industry-recognized cybersecurity framework, prescribes requirements for the cybersecurity program.

Status: Pending
Creates the Insurance Data Security Act, requires any person licensed, authorized to operate, or registered as an insurer in accordance with the insurance Laws of this State to conduct a risk assessment of cybersecurity threats, implement appropriate security measures, and no less than annually assess the effectiveness of the safeguards' key controls, systems, and procedures.

Status: Pending
Amends the Information Security Improvement Act, makes a technical change in a section concerning the short title.

Status: Enacted
Amends the Emergency Management Agency Act, expands the definition of disaster to include a cyber attack.

Status: Pending
Amends the Department of Innovation and Technology Act, requires the Department of Innovation and Technology to work to ensure the security of the social media and Internet presence of state elected officials and state agencies and, to the extent possible, reserve the use of State government online accounts, whether social media or email, for use only by state officials, state agencies, and employees thereof, to prevent false personation, provides for the adoption of rules, defines false personation.

Status: Pending
Creates the Consumers and Climate First Act, provides that it is the policy of the state to transition to 100% clean energy by 2050, amends the Governmental Ethics Act, expands the information required to be provided on a statement of economic interests to include employment by a public utility, amends the Enterprise Zone Act, expands, in provisions relating to High Impact Businesses, the definition of new electric generating facility to include a new utility scale solar power facility.

Status: Pending
Amends the School Code to require a school district to report a cyber security attack to the State Board of Education as soon as school personnel determine that a breach of the school district's computer system or network has occurred, amends various Acts relating to the governance of public universities and community colleges in Illinois to require a public university or community college district to report a cyber security attack to the Department of Innovation and Technology as soon as school person.

Status: Pending
Amends the Freedom of Information Act, exempts from disclosure risk and vulnerability assessments, security measures, schedules, certifications, and response policies or plans that are designed to detect, defend against, prevent, or respond to potential cyber attacks upon the state's or an election authority's network systems, or records that the disclosure of which would, in any way, constitute a risk to the proper administration of elections or voter registration.

Status: Enacted
Amends the Election Code, relates to cybersecurity, requires each election authority maintaining a website to begin utilizing a .gov website address and a .gov electronic mail address for each employee.

Status: Pending
Amends the Local Records Act, provides that a unit of local government, acting through its governing board, may authorize the use of technology to execute its duties, or assist in the execution of certain portions of public duties, where those technologies utilize commonly accepted methods of data storage and cybersecurity, and the unit of local government otherwise continues adherence to the Local Records Act.

Status: Pending
Creates the Consumers and Climate First Act, provides that it is the policy of the state to transition to 100% clean energy by 2050, amends the Governmental Ethics Act, expands the information required to be provided on a statement of economic interests to include employment by a public utility, amends the Enterprise Zone Act, expands, in provisions relating to High Impact Businesses, the definition of new electric generating facility to include a new utility scale solar power facility.

Indiana

IN H.B. 1169
Status: Enacted
Relates to cybersecurity incidents, requires the office of technology to maintain a repository of cybersecurity incidents, provides that a state agency and a political subdivision shall report any cybersecurity incident to the office without unreasonable delay and not later than two business days after discovery of the cybersecurity incident in a format prescribed by the chief information officer, allows the office of technology to assist a state agency with certain issues concerning information technology.

Kansas

KS H.B. 2292

Status: Failed 
Creates exemptions in the Open Records Act for cyber security assessments, plans and vulnerabilities.

Status: Enacted
Makes permanent certain exceptions to the disclosure of public records under the Open Records Act.

Status: Failed 
Amends the state Cybersecurity Act, requires security training for all state agencies, provides for certain information to be provided to the Joint Committee on Information Technology.

Louisiana

LA H.B. 128

Status: Enacted
Provides relative to the powers and duties of the Cash Management Review Board with respect to financial security and cybersecurity plans and procedures adopted by state agencies, including the assessment and deployment of such plans and procedures.

Status: Enacted
Establishes an exception to public records requirements for certain information by the Secretary of State.

Status: Failed--adjourned
(Constitutional Amendment) Revises Article VII of the Constitution of Louisiana.

Status: Failed--adjourned
Dedicates funds to the State Cybersecurity and Information Technology Fund.

Status: Enacted
Directs the joint legislative committee on technology and cybersecurity to examine and consider potential regulatory structures for network installers and cybersecurity providers operating in the state.

Status: Adopted
Directs the Department of Economic Development to study and report on cyber-related issues.

Status: Enacted
Relates to purchase of telecommunication and video equipment or services by all state agencies.

Massachusetts

MA H.B. 107

Status: Pending
Regulates privacy and technology in education.

Status: Pending
Relates to cyber procurement insurance.

Status: Pending
Relates to the security of personal financial information.

Status: Pending
Establishes a task force to study the need for increased cyber security within government agencies.

Status: Pending
Relates to cybersecurity standards in state contracts or procurements.

Status: Pending
Relates to cyber crime prevention in schools.

Status: Pending
Establishes a Cybersecurity Control and Review Commission.

Status: Pending
Ensures cyber security in the Commonwealth.

Status: Pending
Relates to cybersecurity standards in government procurements.

Status: Pending
Relates to cyber procurement insurance.

Status: Pending
Establishes a Cybersecurity Control and Review Commission.

Status: Pending
Relates to cyber crime prevention in schools.

Status: Pending
Creates an office of data protection, cybersecurity, and privacy.

Maryland

MD H.B. 38

Status: Failed--adjourned
Relates to the Department of Information Technology.

Status: Failed--adjourned
Relates to the Personal Information Protection Act.

Status: Enacted
Prohibits a person from committing a certain prohibited act with the intent to interrupt or impair the functioning of a health care facility or a public school, prohibits a person from knowingly possessing certain ransomware with the intent to use the ransomware for purposes of introduction into a computer, network or system of another person, alters and establishes certain penalties, authorizes a victim of a certain offense to bring a civil action for damages against a certain person.

Status: Failed--adjourned
Requires each unit of State government to submit a certain report related to information technology and cybersecurity to the Department of Information Technology on or before a certain date each year, establishes the required contents of certain reports, requires the Department to compile and analyze certain information and report to each unit of State government and the General Assembly certain information and recommendations by a certain date of each year.

Status: Failed--adjourned
Provides for the target per pupil foundation amount in fiscal year 2022, requires each county board of education to use not less than 7% of the target per pupil foundation amount to provide certain technology resources to students, authorizes a local school system, at the end of each fiscal year, to hold unused funds in a special fund to be used in a subsequent fiscal year, requires a county board that allocates certain funding to follow certain information technology security standards.

Status: Failed--adjourned
Requires the State Department of Education, the Behavioral Health Administration within the Maryland Department of Health, the Maryland Center for School Safety, and the Department of Information Technology jointly to develop and publish a cyber safety guide and training course on safe Internet, social media, and technology usage for certain students, parents, and school employees to be implemented beginning in the 2022-2023 school year, requires the guide to be posted on certain websites.

Status: Failed--adjourned
Establishes the Cybersecurity Coordination and Operations Office within the Maryland Emergency Management Agency to help improve statewide cybersecurity readiness and response, requires the Director of MEMA to appoint an Executive Director as head of the Office, requires the Office to be provided with sufficient staff to perform the Office's functions.

Status: Failed--adjourned
Requires the Department of Information Technology, in coordination with the Maryland Cybersecurity Council, to develop criteria for the certification of certain cybersecurity training programs for use by State and local government employees required to complete cybersecurity training each year, certify at least 20 programs, review and update certain certification standards at certain times, and maintain a list of all certified programs on its website.

Status: Failed--adjourned
Alters the duties of the Maryland Cybersecurity Council to include monitoring and evaluating certain election security measures and high-speed Internet access in the State, requires the Council to make recommendations concerning any legislative changes considered necessary by the Council to address election security and high-speed Internet access.

Status: Enacted
Relates to cybersecurity. Requires the Secretary of Information Technology to advise and oversee a consistent cybersecurity strategy for certain units of state government. Requires the Secretary to advise and consult with the Legislative and Judicial branches of state government regarding a cybersecurity strategy. Requires the Secretary to develop guidance on consistent cybersecurity strategies for certain political subdivisions of the state.

Status: Failed--adjourned
Relates to the emergency management agency.

Status: Failed--adjourned
Relates to the Personal Information Protection Act.

Status: Enacted
Relates to the Cybersecurity Investment Incentive Tax Credit Program.

Status: Failed--adjourned
Relates to cyber safety guide and training course.

Status: Failed
Relates to information technology.

Status: Failed--adjourned
Relates to protection of information.

Status: Enacted
Prohibits a person from committing a certain prohibited act with the intent to interrupt or impair the functioning of a health care facility or a public school, prohibits a person from knowingly possessing certain ransomware with the intent to use the ransomware to restrict access by authorized persons and demanding payment to remove the ransomware, authorizes a victim of a certain offense to bring a civil action for damages against a certain person.

Status: Failed--adjourned
Requires the Department of Information Technology to issue certain standards and guidelines for units of State government for the appropriate use and management of certain Internet of Things devices under certain circumstances, requires the Department to review and revise its standards and guidelines at least once every 5 years to ensure that they are at least as comprehensive as the standards and guidelines adopted by the Director of NIST.

Status: Failed--adjourned
Provides for the target per pupil foundation amount in fiscal year 2022, requires each county board of education to use not less than 7% of the target per pupil foundation amount to provide certain technology resources to students, authorizes a local school system, at the end of each fiscal year, to hold unused funds in a special fund to be used in a subsequent fiscal year, requires a county board that allocates certain funding to follow certain information technology security standards.

Status: Failed--adjourned
Requires the Department of Information Technology, in coordination with the Maryland Cybersecurity Council, to develop criteria for the certification of certain cybersecurity training programs for use by State and local government employees required to complete cybersecurity training each year, certify at least 20 programs, review and update certain certification standards at certain times, and maintain a list of all certified programs on its website.

Status: Failed--adjourned
Establishes the Cyber Workforce Program in the Partnership for Workforce Quality Program, provides for the purpose of the Cyber Program, requires the Secretary of Commerce to direct the Cyber Program, requires the Secretary to establish certain criteria and priorities for assistance under the Cyber Program, requires the Secretary to submit a certain report on the operation and performance of the Cyber Program.

Status: Failed--adjourned
Requires each unit of State government and certain local agencies to submit a certain report related to information technology and cybersecurity to the Department of Information Technology on or before September 1 each year, establishes the required contents of certain reports, requires the Department to compile and analyze certain information and report to each unit of State government and the General Assembly certain information and recommendations by December 31 each year.

Status: Enacted
Relates to University of Maryland Strategic Partnership Act of 2016.

Maine

ME H.B. 17

Status: Enacted
Enacts the Maine Insurance Data Security Act, establishes standards for information security programs based on ongoing risk assessment for protecting consumers' personal information, establishes requirements for the investigation of and notification to the Superintendent of Insurance regarding cybersecurity events.

Status: Enacted
Protects data privacy and security in elections, proposes to protect data privacy and security in elections.

Status: Failed 
Enacts the Maine Insurance Data Security Act.

Status: Failed 
Protects data privacy and security in elections.

Status: Enacted
Provides allocations for the distribution of state fiscal recovery funds. Provides funding to tackle the highest-risk areas identified by an external program review, including formalizing a business continuity plan for the State's information technology and setting a framework for providing leadership to state agencies in business continuity planning. This one-time funding for cybersecurity will augment the proposed General Fund appropriation request and provide the resources needed to tackle some of the highest-risk areas, including business continuity planning and workforce enhancements. Provides funding to support and maintain the State's cybersecurity program and investments.

Establishes the state of Maine Cybersecurity Advisory Council.

Michigan

MI H.B. 5036

Status: Pending
Provides technology, management, and budget department to create resources concerning digital literacy and cyber safety on public website to House Communications and Technology Committee.

Status: Pending
Provides technology, management, and budget department to create resources concerning digital literacy and cyber safety on public website.

Status: Pending
Provides for an affirmative defense for covered entities with cybersecurity programs under certain circumstances.

Minnesota

MN H.B. 6  

Status: Enacted

Relates to commerce, establishes a biennial budget for Department of Commerce, Public Utilities Commission, and energy activities, modifies various provisions governing insurance, modifies provisions governing collections agencies and debt Buyers, modifies and adds consumer protections, establishes and modifies provisions governing energy, renewable energy, and utility regulation, provides for certain salary increases, makes technical changes, establishes penalties, requires reports, appropriates money.

Status: Failed--adjourned

Relates to commerce, establishes a biennial budget for Department of Commerce, Public Utilities Commission, and energy activities, modifies various provisions governing insurance, modifies provisions governing collections agencies and debt Buyers, modifies and adds consumer protections, establishes and modifies provisions governing energy, renewable energy, and utility regulation, provides for certain salary increases, makes technical changes, establishes penalties, requires reports, appropriates money.

Status: Failed - adjourned
Relates to state government, establishes a Legislative Commission on Cybersecurity, provides legislative appointments.

Status: Failed
Relates to commerce, establishes a biennial budget for Department of Commerce and energy activities, modifies various provisions governing and administered by the Department of Commerce, establishes a prescription drug affordability board and related regulations, modifies various provisions governing insurance.

Status: Failed - adjourned
Relates to insurance, establishes an Insurance Data Security Law.

Status: Failed - adjourned
Relates to commerce, establishes a biennial budget for Department of Commerce and energy activities, modifies various provisions governing and administered by the Department of Commerce, establishes a prescription drug affordability board and related regulations, modifies various provisions governing insurance, establishes a student loan borrower bill of rights, modifies and adding consumer protections, modifies provisions governing collections agencies and debt buyers.

Status: Failed - adjourned
Relates to state government, establishes a Legislative Commission on Cybersecurity, provides legislative appointments, proposes coding for new law.

Status: Failed
Relates to insurance, establishes an Insurance Data Security Law.

Status: Failed - adjourned
Relates to commerce, modifies various provisions governing or administered by the Department of Commerce, modifies allowance of reinsurance credit, establishes an insurance data security law, makes technical changes.

Missouri

MO H.B. 1204

Status: Failed--adjourned
Establishes the Missouri Cybersecurity Commission.

Status: Enacted 
Relates to public safety, modifies provisions relating to licensure as a boat dealer, modifies provisions relating to certain vessel registration and fees, adds restrictions for certain vessel anchorage at docks, provides a penalty, establishes the Missouri Cybersecurity Commission within the Department of Public Safety.

Status: Failed - adjourned
Relates to grants to employers for the purpose of enhancing cybersecurity.

Mississippi

MS H.B. 633

Status: Enacted
Creates the Mississippi Computer Science and Cyber Education Equality Act, authorizes and directs the Mississippi Department of Education to implement a mandatory k 12 computer science curriculum based on the Mississippi College and Career Readiness Standards for computer science, which includes instruction in, but not limited to, computational thinking, cyber related, programming, cyber security, data science, robotics and other computer science and cyber related content.

Status: Failed
Creates the Mississippi Computer Science and Cyber Education Equality Act, authorizes and directs the Mississippi Department of Education to implement a mandatory K 12 computer science curriculum based on the state college and career readiness standards for computer science which includes instruction in, but not limited to, computational thinking, computer programming, cyber security, data science, robotics and other computer science and cyber related content.

Creates a Task Force on State Cybersecurity, directs the Task Force to develop recommendations and proposals to identify vulnerabilities of systems, staffing, training and technologies with state agencies.

Montana

MT H.B. 10

Status: Enacted
Revises laws related to Information Technology Capital Projects, appropriates money for Information Technology Capital Projects for the biennium ending a specified date, provides for matters relating to the appropriations, provides for a transfer of funds from the general fund to the Long-Range Information Technology Program Account, provides for the development and acquisition of new information technology systems for the specified agencies.

MT H.B. 530
Status: Enacted
Requires the Secretary of State to adopt rules defining and governing election security; requires election security assessments by the Secretary of State and county election administrations; establishes that security assessments are confidential information; establishes reporting requirements; directs the Secretary of State to adopt rules prohibiting certain persons from receiving pecuniary benefits with respect to certain ballot activities; provides for penaltieS.

MT H.B. 614

Status: Enacted
Revises the workforce development provisions of the Health and Economic Livelihood Partnership act, establishes allowable uses of workforce development funding, requires contracting for training and education programs, extends rulemaking authority.

Continues the Montana Information Security Advisory Council.

Nevada

NV BDR 63
Status: Failed--adjourned
Revises provisions relating to cyber security.

New Hampshire

NH H.B. 137

Status: Failed
Exempts certain statewide standards and protocols relative to information technology, networks, telephony, and cyber security developed by the department of information technology from a specified rulemaking.

Status: Enacted
Establishes certain technical committees and a cybersecurity advisory committee in the Department of Information Technology.

Status: Failed
Establishes an information technology supply chain risk authority.

Status: Enacted
Defines cybersecurity incident and requires that political subdivisions report such incidents to the department of information technology.

Status: Pending
Establishes the position of chief information security officer and deputy chief information security officer in the department of information technology.

Status: Failed
Relates to cyber security incident reporting and recommended cyber security standards for political subdivisions.

New Jersey

NJ A.B. 442

Status: Pending
Requires public institutions of higher education to establish plans concerning cyber security and prevention of cyber attacks.

Status: Pending
Directs New Jersey Cyber security and Communications Integration Cell to develop cyber security prevention best practices and awareness materials for consumers in this state.

Status: Pending
Concerns information security standards and guidelines for state and local government.

Status: Pending
Requires state, county, and municipal employees and certain state contractors to complete cybersecurity awareness training.

Status: Pending
Establishes the crime of cyber interference, defined as tampering or interfering with any software, computer, cell phone, or any other electronic device, with the purpose to harass another.

Status: Pending
Directs state Cybersecurity and Communications Integration Cell, Office of Information Technology, and state Big Data Alliance to develop advanced cyberinfrastucture strategic plan.

Status: Pending
Clarifies the crime of unlawful access concerning certain password protected communications in electronic storage.

Status: Pending
Requires state employees to receive best cybersecurity practices.

Status: Pending
Concerns debarment of contractors for conviction of certain computer-related crimes.

Status: Pending
Creates affirmative defense for certain breaches of security.

Status: Pending
Revises cybersecurity, asset management, and related reporting requirements in Water Quality Accountability Act.

Status: Pending
Requires each principal department in Executive Branch and each State college to conduct review of department's or college's cybersecurity infrastructure and make recommendations.

Status: Pending
Requires businesses in financial, essential infrastructure, and health care industries to report cybersecurity incidents.

Status: Pending
Establishes cybersecurity employment grant program for qualified businesses.

Status: Pending
Requires businesses in financial, essential infrastructure, and health care industries to develop cybersecurity plans.

Status: Pending
Requires instruction on cybersecurity in grades nine through 12, requires Office of Secretary of Higher Education to develop cybersecurity model curricula, establishes loan redemption programs for individuals in certain cybersecurity occupations.

Status: Pending
Requires municipalities, counties, and school districts to report cybersecurity incidents.

Status: Pending
Requires public agencies report cybersecurity incidents to New Jersey Office of Homeland Security and Preparedness.

Status: Pending
Urges Secretary of State to assure Legislature and public that State's electoral system is protected from foreign computer hackers.

Status: Pending
Establishes Technology Task Force.

Status: Pending
Designates October of each year as Cyber Security Awareness Month.

Status: Pending
Establishes state Cybersecurity Task Force.

Status: Pending
Directs the state Cybersecurity and Communications Integration Cell, Office of Information Technology, and the state Big Data Alliance to develop an advanced cyberinfrastucture strategic plan.

Status: Enacted
Revises cybersecurity, asset management, and related reporting requirements in Water Quality Accountability Act.

Status: Pending
Requires certain persons and business entities to maintain comprehensive information security program.

Status: Pending
Clarifies crime of unlawful access concerning certain password protected communications in electronic storage.

Status: Pending
Requires Economic Development Authority to establish program offering low interest loan to certain financial institutions and personal data businesses to protect business's information technology system from customer personal information disclosure.

Status: Pending
Creates affirmative defense for certain breaches of security.

Status: Pending
Establishes the New Jersey Information Technology Commission.

Status: Pending
Requires each principal department in Executive Branch and each State college to conduct review of department's or college's cybersecurity infrastructure and make recommendations.

Status: Pending
Requires businesses in financial, essential infrastructure, and health care industries to develop cybersecurity plans.

Status: Pending
Requires businesses in financial, essential infrastructure, and health care industries to report cybersecurity incidents.

Status: Pending
Requires municipalities, counties, and school districts to report cybersecurity incidents.

Status: Pending
Establishes cybersecurity employment grant program for qualified businesses.

Status: Pending
Requires instruction on cybersecurity in grades nine through 12, requires Office of Secretary of Higher Education to develop cybersecurity model curricula, establishes loan redemption programs for individuals in certain cybersecurity occupations.

Status: Pending
Requires public agencies report cybersecurity incidents to State Office of Homeland Security and Preparedness.

Status: Pending
Establishes State Cybersecurity Task Force.

New Mexico

NM H.B. 70
Status: Failed--adjourned
Relates to domestic terrorism, defines "denial of service attack", defines "school", "community center", "place of worship" and "public accommodation", creates the crimes of terrorism, cyberterrorism, possessing a terroristic weapon and making a terroristic threat, provides penalties, provides for concurrent jurisdiction of crimes under the antiterrorism act, requires information sharing and reporting.

New York

NY A.B. 535

Status: Pending
Enacts the New York Grid Modernization Act to address the aging infrastructure, establishes the grid modernization program, defines terms, creates the smart grid advisory council, makes related changes. Provides for cyber security systems to protect customer financial information and data relating to personal electrical usage.

Status: Pending
Authorizes continuing care retirement communities to adopt a written cybersecurity policy, requires such policies to be self-certified and approved by the superintendent.

Status: Pending
Establishes the crime of disruption of an online public meeting when a person with intent to cause public inconvenience, annoyance or alarm, without lawful authority, and acting through a computer service, he or she disturbs any lawful assembly or meeting of persons open to the public conducted through a computer service, makes such crime a class B misdemeanor.

Status: Pending
Establishes a commission to study the European Union's general protection data regulation and the current state of cybersecurity in the state.

Status: Pending
Enacts the "computer spyware protection act", prohibits the installation, transmission and use of computer software that collects personally identifiable information, authorizes the Attorney General to bring a civil action against any person who violates any provision of this section, seeks damages ranging from one thousand dollars to one million dollars.

Status: Pending
Establishes the School District Cyber Crime Prevention Services Program to provide school districts with information on strategies, best practices and programs offering training and assistance in the prevention of cyber crimes in school districts or otherwise affecting school districts, provides further that information on eligibility and applications for financial assistance be made available to school districts.

Status: Pending
Establishes the misdemeanor of interfering in the election process by electronic means.

Status: Pending
Requires the Department of Education to provide annual notifications to school districts to combat cyber crime.

Status: Pending
Creates the crime of cyberterrorism and calculating damages caused by computer tampering, cyberterrorism shall be a class B felony.

Status: Pending
Establishes civilian cyber security reserve Forces within the New York state militia to be capable of being expanded and trained to educate and protect state, county, and local government entities, critical infrastructure, including election systems, businesses and citizens of the state from cyber attacks, makes related provisions.

Status: Pending
Relates to computer-related crimes. Creates the crimes of unlawful disruption of computer services in the first and second degree, unlawful computer access assistance in the first and second degree, unauthorized use of internet domain name or profile, and unlawful introduction of a computer contaminant, allows for a civil action for compensatory damages for victims of such crimes.
​

Status: Pending
Establishes the misdemeanor of interfering in the election process by electronic means.

Status: Pending
Requires the Department of Education to provide annual notifications to school districts to combat cyber crime.

Status: Pending
Establishes the school district cyber crime prevention services program.

Status: Pending
Amends the Tax Law, relates to a business tax credit for purchase of data breach insurance.

Status: Pending
Amends the State Technology Law, requires governmental entities to implement multifactor authentication for local and remote network access.

Status: Pending
Directs that state agencies require that procurement of personal computing goods, services and solutions meet the National Institute of Standards and Technology Cybersecurity Framework.

Status: Pending
Relates to computer-related crimes, creates the crimes of unlawful disruption of computer services in the first and second degree, unlawful computer access assistance in the first and second degree, unauthorized use of internet domain name or profile, and unlawful introduction of a computer contaminant, allows for a civil action for compensatory damages for victims of such crimes.

Status: Pending
Elevates all computer tampering offenses by one degree in severity.

Status: Pending
Establishes a commission to study the European Union's general protection data regulation and the current state of cybersecurity in the state.

Status: Pending
Creates a Cyber Security Enhancement Fund to be used for the purpose of upgrading cyber security in local governments, including but not limited to, villages, towns and cities with a population of one million or less, restricts the use of taxpayer moneys in paying ransoms in response to ransomware attacks.

Status: Pending
Prohibits governmental entities, business entities and health care entities from paying a ransom in the event of a cyber incident or a cyber ransom or ransomware attack.

Status: Pending
Enacts the "Critical Infrastructure Standards and Procedures (CRISP) Act."

North Carolina

NC H.B. 813

Status: Pending
Prohibits any state agency, unit of local government, or public authority from paying a ransom in connection with a cybersecurity incident and clarifies the reporting of cybersecurity incidents to the department of information technology.

Status: Failed - adjourned
Appropriates additional funds to support a dedicated North Carolina Defense Cyber Office in the NC Military Business Center.

NC S.B. 105
Status: Enacted
Prohibits state agencies or local government entities from submitting payment or otherwise communicating with an entity that us making a ransomware demand. Makes base budget appropriations for current operations of state agencies, departments, and institutions. (art. 84)

North Dakota

ND D 198

Status: Failed--adjourned
Relates to cybersecurity incident reporting requirements.

Status: Failed
Relates to the powers and duties of the information technology department.

Status: Enacted
Relates to cybersecurity incident reporting requirements.

Status: Enacted
Relates to the Powers and duties of the information technology department.

Status: Enacted
Relates to third party software access to insurance policy information.

Ohio

OH H.B. 116

Status: Pending
Enacts the Computer Crimes Act.

Status: Pending
Regards the state's information technology systems and shared services, makes an appropriation. Creates a biannual advisory committee on state information and technology and a cybersecurity and fraud advisory board to examine and make recommendations on the state's information technology systems and services, including cybersecurity.

Status: Pending
Amends section 1347.12, enacts section 125.184 of the Revised Code regarding data breaches on state agency computer systems. Requires the state chief information officer to conduct an examination of each state agency to assess the risk of a breach of the security of the system of that state agency.

Oklahoma

OK H.B. 1759
Status: Enacted
Relates to crimes and punishments, relates to the Oklahoma Computer Crimes Act, modifies definition, defines term, expands scope of certain prohibited acts, makes certain acts unlawful, provides construing provision, provides an effective date.

Oregon

OR S.B. 293
Status: Enacted
Directs office of State Chief Information Officer to develop recommendations related to elevating consideration of privacy, confidentiality and data security measures in state government enterprise and shared information technology services, and to submit recommendations in report to certain interim committees of Legislative Assembly by specified date.

Pennsylvania

PA H.B. 40

Status: Pending
Establishes the Office of Information Technology and the Information Technology Fund, provides for administrative and procurement procedures and for the joint cybersecurity oversight committee, imposes duties on the office of information technology, provides for administration of statewide radio network, imposes penalties.

Status: Pending
Establishes the Office of Information Technology and the Information Technology Fund, provides for administrative and procurement procedures and for the Joint Cybersecurity Oversight Committee, imposes duties on the Office of Information Technology, provides for administration of Statewide Radio Network, imposes penalties.

Status: Pending
Provides for Cybersecurity Coordination Board.

Status: Pending
Amends the Public Utility Confidential Security Information Disclosure Protection Act, provides for procedures for submitting, challenging and protecting confidential security information, for applicability to other law and for prohibition.

Status: Pending
Provides for water and wastewater asset management plans. Relates to the development of cybersecurity system plans.

Status: Pending
Prohibits employees of the Commonwealth from using nonsecured Internet connections, provides for Commonwealth policy and for entities subject to the Health Insurance Portability and Accountability Act.

Status: Pending
Provides for the offense of ransomware, imposes duties on the Office of Administration.

Rhode Island

RI H.B. 5200

Status: Pending
Adopts the National Association of Insurance Commissioners Cybersecurity Act which establishes the current cybersecurity standard for insurers doing business in this state.

Status: Pending
Authorizes the secretary of state and board of elections to conduct an extensive cybersecurity assessment of our election systems and facilities and to establish a cybersecurity review board to review and assess our election system, creates a cybersecurity incident response group to adopt protocols in the event of any agency or public body breaches of cybersecurity.

Status: Pending
Establishes that manufacturers of devices capable of connecting to the Internet equip the devices with reasonable security features.

Status: Pending
Authorizes the secretary of state and board of elections to conduct an extensive cybersecurity assessment of our election systems and facilities and to establish a cybersecurity review board to review and assess our election system, creates a cybersecurity incident response group to adopt protocols in the event of any agency or public body breaches of cybersecurity.

Tennessee

TN H.B. 766
Status: Enacted
Establishes the exclusive standards for data security, licensees' investigations of cybersecurity events, and licensees' notification of cybersecurity events to the commissioner and affected consumers; provides that a licensee is a person, as defined, and does not include a purchasing group or risk retention group chartered and licensed in another state or a person acting as an assuming insurer and domiciled in another state or jurisdiction.

TN H.B. 925

Status: Enacted
Requires the state-level safety team to include cybersecurity policies and procedures in the template safety plan that Local Education Agencies must adopt as part of their comprehensive district-wide and building-level school safety plans.

TN S.B. 725
Status: Substituted on Senate floor by H 766
Establishes the exclusive standards for data security, licensees' investigations of cybersecurity events, and licensees' notification of cybersecurity events to the commissioner and affected consumers; provides that a licensee is a person, as defined, and does not include a purchasing group or risk retention group chartered and licensed in another state or a person acting as an assuming insurer and domiciled in another state or jurisdiction.

Status: Enacted
Clarifies that wireless communication includes text messages sent and received on smart devices for purposes of the Anti-Phishing Act.

Status: Failed - adjourned
Requires the state-level safety team to include cybersecurity policies and procedures in the template safety plan that Local Education Agencies must adopt as part of their comprehensive district-wide and building-level school safety plans.

Texas

TX H.B. 2

Status: Enacted
Relates to making supplemental appropriations and reductions in appropriations and giving direction and adjustment authority regarding appropriations.

Status: Failed -adjourned
Relates to the establishment of a grant program for promoting computer science certification and professional development in coding, technology applications, and computer science for public school teachers.

TX H.B. 307
Status: Failed
(Special session 1) Relates to state agency and local government security incident procedures.

Status: Enacted
Relates to state agency and local government compliance with cybersecurity training requirements.

Status: Failed--adjourned
Relates to the creation of the Fiscal Risk Management Commission.

Status: Failed--adjourned
Relates to the composition of the cybersecurity council.

Status: Failed--adjourned
Relates to emergency management for cybersecurity events threatening this state.

Status: Failed--adjourned
Relates to requiring the Department of Information Resources to conduct a study concerning the cybersecurity of small businesses.

Status: Failed--adjourned
Relates to computer science and technology applications in public schools, including the essential knowledge and skills of the technology applications curriculum, the establishment of a computer science strategic advisory committee, and the establishment of a computer science and technology applications professional development grant program for public school teachers.

Status: Enacted
Relates to the purchase of cybersecurity insurance coverage by the State Department of Transportation.

Status: Failed--adjourned
Relates to cybersecurity and privacy regarding distance learning in public schools and prohibiting ransomware payments by certain governmental entities.

Status: Failed--adjourned
Relates to the Powers and duties of the State Electric Grid Security and Emergency Preparedness Advisory Council.

Status: Failed--adjourned
Relates to protecting the population of the state, its environment, and its most vulnerable communities, promoting the resilience of the electric grid and certain municipalities.

TX H.B. 3892
Status: Failed--adjourned
Relates to matters concerning governmental entities, including cybersecurity, governmental efficiencies, information resources, and emergency planning.

TX H.B. 4018
Status: Enacted
relates to legislative oversight and funding of improvement and modernization projects for state agency information resource

Status: Failed--adjourned
Relates to the requirements for the purchase of endpoint devices by a state agency.

Status: Failed--adjourned
Relates to the development by the Public Utility Commission of the state of physical security and cybersecurity practices for certain utilities.

Status: Failed--adjourned
Relates to the duties and oversight of the Department of Public Safety's office of inspector general regarding the use of cyber technology and activity.

Status: Failed--adjourned
Relates to state and local governments requirements to report security incidents to the Department of Information Resources.

Status: Failed--adjourned
Relates to a cybersecurity monitor for certain electric utilities.

Status: Failed--adjourned
Relates to state agency and local government compliance with cybersecurity training requirements.

Status: Enacted
Relates to state agency and local government information security, including establishment of the state risk and authorization management program and the State volunteer incident response team, authorizes fees.

Status: Enacted
Relates to the composition of the cybersecurity council.

Status: Enacted
Relates to the regulation of commercial property and casualty insurance and insurance for certain large risks.

Status: Failed--adjourned
Relates to protecting the population of the state, its environment, and its most vulnerable communities, promoting the resilience of the electric grid and certain municipalities.

Status: Enacted
Relates to establishing a system for the sharing of information regarding cyber attacks or other cybersecurity incidents occurring in schools in this state.

Status: Failed--adjourned
Relates to the purchase of cybersecurity insurance coverage by the State Department of Transportation.

Status: Enacted
Relates to prohibiting contracts or other agreements with certain foreign-owned companies in connection with critical infrastructure in this state.

Status: Failed--adjourned
Relates to certain standardization in cybersecurity degree programs offered by public institutions of higher education.

Status: Failed--adjourned
Relates to pathways to assist students in transitioning from high school to postsecondary education in cybersecurity.

Status: Failed--adjourned
Relates to the resilience of the electric grid and certain municipalities.

Status: Failed--adjourned 
(Special session 1) Relates to emergency management for cybersecurity events threatening this state.

Status: Failed--adjourned
(Special session 1) Relates to state agency and local government security incident procedures.

Status: Failed--adjourned
(Special session 1) Relates to the resilience of the electric grid and certain municipalities.

Status: Failed--adjourned
(Special session 2) Relates to emergency management for cybersecurity events threatening this state.

Status: Enacted
(Special session 2) Relates to election integrity and security, including by preventing fraud in the conduct of elections in this state, increases criminal penalties, creates criminal offenses, provides civil penalties.

Status: Failed--adjourned
(Special session 2) Relates to the resilience of the electric grid and certain municipalities.

Utah

UT H.B. 80
Status: Enacted
Creates affirmative defenses to certain causes of action arising out of a breach of system security.

Virginia

VA H.B. 30

Status: Enacted
Relates to the Budget Bill, provides for all appropriations of the Budget submitted by the Governor, provides a portion of revenues for upcoming biennium.

Status: Failed - adjourned
Relates to Virginia Information Technologies Agency, relates to Cybersecurity Advisory Council created, relates to report, creates the Cybersecurity Advisory Council to assist the Chief Information Officer (CIO) of the Virginia Information Technologies Agency with the development of policies, standards, and guidelines for assessing security risks, determining appropriate security measures, and performing security audits of government electronic information, provides that make recommendations to the CIO.

Status: Failed
Relates to the register of volunteer cybersecurity and information technology professionals, directs the Secretary of Administration to establish a register of cybersecurity and information technology professionals interested in volunteering to assist localities and school divisions, in collaborating on workforce development, and in providing mentorship opportunities.

Status: Enacted
Relates to the Information Technologies Agency, requires the Chief Information Officer of the Information Technologies Agency to develop and annually update a curriculum and materials for training all state employees in information security awareness and in proper procedures for detecting, assessing, reporting, and addressing information security threats.

Status: Failed
Relates to Virginia Cyber Initiative Act, directs the Virginia Information Technologies Agency to work with public and private institutions of higher education, state agencies, and businesses in the Commonwealth to develop a cyber alliance, to be known as the Virginia Cyber Initiative, to reduce cyber risks and encourage economic development in the cybersecurity field.

Status: Enacted
Amends the Emergency Services and Disaster Law, defines cyber incident for purposes of the Law as an event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, and physical or virtual infrastructure controlled by computers or information systems., makes technical corrections.

Status: Enacted
Establishes standards for insurance data security, for the investigation of a cybersecurity event, and for the notification to the Commissioner of Insurance and affected consumers of a cybersecurity event, requires insurers to develop, implement, and maintain a comprehensive written information security program based on an assessment of its risk that contains administrative, technical, and physical safeguards.

Status: Enacted
Relates to Budget Bill, amends the 2020 Special Session I Acts of Assembly. Includes funds to implement a training curriculum for state employees on best practices for cyber security.

Status: Failed
Relates to study, relates to Department of Elections, relates to use of blockchain technology to protect voter records and election results, relates to report, requests the Department of Elections to conduct a study to determine the kinds of blockchain technology that could be used to secure voter records and election results, determine the costs and benefits of using such technology as compared to traditional registration and election security measures, and make recommendations.

Status: Adopted
Requests the Information Technologies Agency to study the Commonwealth's susceptibility, preparedness, and ability to respond to ransomware attacks, provides that in conducting its study, the Agency shall assess the Commonwealth's susceptibility to ransomware attacks at the state and local levels of government.

Status: Enacted
Relates to computer trespass, relates to penalty, expands the crime of computer trespass to provide that the prohibited actions that constitute computer trespass are criminalized if done through intentionally deceptive means and without authority, specifies that a computer hardware or software provider, an interactive computer service, or a telecommunications or cable operator does not have to provide notice of its activities to a computer user that a reasonable computer user should expect may occur.

Status: Failed - adjourned
Relates to civil action, relates to sale of personal data, requires a person that disseminates, obtains, maintains, or collects personal data about a consumer for a fee to implement security practices to protect the confidentiality of a consumer's personal data, obtain express consent of a parent of a minor before selling the personal data of such minor, provide access to consumers to their own personal data that is held by the entity, and refrain from maintaining or selling data.

Status: Enacted
Relates to computer crimes, provides that any person, who, without the intent to receive any direct or indirect benefit, maliciously sends an electronically transmitted communication containing a false representation intended to cause another person to spend money, and such false representation causes such person to spend money, is guilty of a Class 1 misdemeanor.

Vermont

VT H.B. 274

Status: Failed - adjourned
Relates to consumer protection and collection of consumer information.

Status: Failed - adjourned
Relates to creating the crime of extortion by introducing ransomware.

Status: Enacted
Relates to miscellaneous energy subjects. Provides that records relating to a regulated utility's cybersecurity program, assessments, and plans, including all reports, summaries, compilations, analyses, notes, or other cybersecurity information are not public records.

Status: Enacted
Makes appropriations in support of government for the fiscal year. Provides that the Secretary shall prepare and submit a strategic plan for information technology and cybersecurity, concurrent with the Governor's annual budget request required under 32 V.S.A. Section 306. Provides funding to the Agency of Digital Services cybersecurity - core infrastructure replacement and router replacements for public safety connections to the municipalities.

Washington

WA H.B. 1068

Status: Enacted
Exempts election security information from public records disclosure.

Status: Failed - adjourned
Fosters economic growth in Washington by supporting emerging businesses in the new space economy.

Status: Enacted
Makes 2021-2023 fiscal biennium operating appropriations.

Status: Enacted
Concerns cybersecurity and data sharing in Washington state government.

Wisconsin

WI A.B. 147

Status: Failed 
Imposes requirements related to insurance data cybersecurity, grants rule making authority.

Status: Enacted
Imposes requirements related to insurance data cybersecurity, grants rule making authority.

West Virginia

WV H.B. 2763

Status: Enacted
Creates cyber incident reporting.

Status: Failed - adjourned
Relates to data disposal protection.

Wyoming

WY S.B. 132
Status: Failed
Relates to the legislature, requires the joint corporations, elections and political subdivisions interim committee to study emergency preparedness and energy distribution in the event of a disruption of federal government operations, requires a report, provides for an effective date.

Puerto Rico

PR HR 468

Status: Pending
Orders the House Committee on Finance and Budget to carry out an investigation into the cyber attack caused by ransomware in 2017, causing a state of emergency in the Department of the Treasury.

Status: Pending
Amends Law 20 of 2017, the Law of the Department of Security, in order to add functions and powers to the Office of Security Information Management, which are essential to really achieve the implementation of the system interoperability of communications and that it has a proper and accurate operation.

Additional Resources

• Computer Crime (and Ransomware) Statutes
• Data Security Laws - Government
• Data Security Laws - Private Sector
• Security Breach Statutes and Legislation  
• Statewide Cybersecurity Task Forces 
• Data Disposal Statutes
• NCSL Cybersecurity Task Force

What is the subject of the Computer Security Act of 1987 quizlet?

Which of the following acts is also widely known as the Gramm Leach Bliley Act?

What is the subject of the Computer Security Act?

Which of the following acts is a collection of statutes that regulate the interception of wire electronic and oral communications?

What act defines stiffer penalties for prosecution of terrorist crimes?