A Look Back at 2021

In 2021, 45 states and Puerto Rico introduced or considered 301 pieces of legislation dealing with cybersecurity. Of those 45 states, 35 enacted bills pertaining to cybersecurity.

Topics covered in adopted state legislation include strengthening security measures for protecting government agencies and resources, cybersecurity training, data, ransomware, resources and the creation of task forces, studies and commissions.

North Carolina became the first state to pass a law that would prohibit government entities from paying ransomware demands. Indiana passed legislation that requires reporting for all incidents related to ransomware.

Both Connecticut and Utah passed bills that provide incentives for the private sector to put reasonable security practices in place to prepare for possible cybersecurity breaches. Georgia, Kansas, Michigan, Vermont and Washington enacted laws to exempt certain cybersecurity information from disclosure under public records laws.

Hawaii, Iowa, Maine, Minnesota, Tennessee and Wisconsin all passed legislation related to insurance data security standards. Louisiana and Virginia adopted resolutions providing for cybersecurity studies.

Only California and Texas set aside specific appropriations for cyber threats and cybersecurity purposes during the 2021 legislative session; California set aside $2 million to be used to establish and operate the Office of Elections Cybersecurity and Texas passed the most significant cybersecurity law of any state in 2021 with the creation of the Technology Improvement and Modernization Fund. This bill appropriated $898.6 million to address cybersecurity and legacy system risks outlined in the state’s 2020 Prioritized Cybersecurity and Legacy Systems.

Following several high-profile data breaches in 2021, several state legislatures are likely to focus their cybersecurity bills on data privacy as well as tightening cybersecurity rules for companies in the 2022 legislative sessions.

Looking Ahead to 2022

Six states – Arizona, Connecticut, Florida, Minnesota, Mississippi and Washington – have confirmed they will introduce California Consumer Privacy Act (CCPA) legislation during the 2022 session. Each of these states considered CCPA legislation in the last session as well which makes them poised to advance legislation during the 2022 session.

Maryland Senator Susan Lee pre-filed a bill (SB11 ) back in October 2021. The bill would regulate the collection and use of consumers’ personal information and businesses; establishing the right of a consumer to receive information regarding collection practices. To have personal information deleted by a business and prohibit the disclosure of personal information by a business.

Alaska, Massachusetts, New York, North Carolina, Ohio, Oklahoma, South Carolina and Vermont will all consider bills related to the CCPA that will carry over from the 2021 legislative session.  These are states to watch in that these bills are carried-over legislation, and so often bring more momentum in states that allow it.

States to watch closely this session for cybersecurity movement include North Carolina, California, Texas, Florida and Oklahoma and Washington.

North Carolina, due to the passage of the strictest law in the United States regarding ransomware. California, among others, is expected to consider several consumer privacy bills this session. Texas considered thirty-seven total pieces of cybersecurity legislation in 2021 and passed the largest bill in terms of appropriations. It is a state that is likely to make cybersecurity waves in 2022.

Florida and Oklahoma came close to passing data privacy legislation previously and will consider it again in 2022 with supportive Attorneys General encouraging cybersecurity and data privacy laws be put in place sooner rather than later.

Representative Collin Walke (D) of Oklahoma and Washington’s Representative Shelley Kloba (D) are vocal proponents of cybersecurity and two state legislators to keep an eye out for in 2022.

Washington State failed for the third straight session to pass the Washington Privacy Act in 2021 but it is likely to be reintroduced again and is a state to watch as legislators have vocally vowed to push harder for stricter requirements and more consistency in standardized consumer data protection.

With cybersecurity concerns becoming more prevalent, state and federal legislatures can no longer delay in addressing these important topics. Expect the number of bills to increase in many states and as increased pressure from both the media and lobbyists pushes legislators. This will force laws to be put in place that both grant appropriations and address data security, ransomware, education and the establishment of task forces and commissions to address the mounting issues associated with cybersecurity risks.