Cybersecurity Legislation 2015

12/31/2015

 

Cyber threats have enormous implications for government security, economic prosperity and public safety.

States are addressing cybersecurity through various approaches, including requiring government or businesses to implement security procedures or security audits, creating studies or task forces, and promoting the cybersecurity industry or training for technology skills, among other approaches. See also NCSL's security breach information for related legislation about notification requirements for businesses and government. (Note: This Web page does not include legislation relating to student data security.)

2015 Cybersecurity Legislation

SecurityEnd of year summary: Legislation related to cybersecurity or data security was introduced in at least 26 states in 2015. Legislation was enacted in at least eight states: California, Connecticut, Kansas, Maryland, New Jersey, North Carolina and Texas. Executive orders became effective in eight states

Arizona

H.B. 2566
Status: April 9, 2015; Vetoed by governor
Relates to state computers; relates to sensitive electronic data

Arkansas

H.B. 1807
Status: April 7, 2015; Act No. 1188
Amends the State Multi-Agency Insurance Trust Fund Act. Provides for a new expenditure from the fund for cybersecurity risk insurance premiums and expenses. Adds the State Risk Manager as the entity that approves a state agency's participation in the fund.

California

A.B. 670
Status: Oct. 6, 2015; Signed by governor, Chapter 518
Requires the Office of Information Security to require no more than a specified number of independent security assessments of state entities each year and determine the assessment's basic standards of services.

A.B. 739
Status: May 12, 2015; In Assembly Committee on Judiciary: Not heard.
Provides there shall be no civil or criminal liability for, and not cause of action shall lie or be maintained against any private entity for sharing or receiving cybersecurity-threat information if such action is conducted in a specified manner. Provides when such immunity is valid. Prohibits using the information for an unfair business advantage. Requires compliance with all restrictions placed on the communication, and to insure anonymization and minimization of the information.

A.B. 1172
Status: Sept. 4, 2015; In Senate. From third reading. To Inactive File.
Continues in existence the State Cyber Security Task Force. Authorizes the task force to convene stakeholders to act in an advisory capacity and compile policy recommendations on cybersecurity for the state. Requires the task force to perform specified functions relating to cybersecurity, and to issue a report on policy recommendations to the governor's office and Legislature. Creates a state director of cybersecurity within the Governor's Office of Emergency Services.

S.B. 26
Status: May 28, 2015; In Senate Committee on Appropriations: Held in committee.
Requires the secretary of the state health and human services to contract to administer the State Health Care Cost and Quality Database. Requires the contractor to report a health care entity that fails to comply with specified requirements. Requires all disclosures to comply with state and federal privacy and data security. Prohibits the disclosure of individually identifiable health data. Requires a review committee to develop parameters for establishing and maintaining the database.

S.B. 1024
Status: Failed – Adjourned.
Concerns the security of consumer data; requires health insurers and other entities to implement security technology that encrypts the personal information of insureds and enrollees that is compiled or maintained by such insurer or entity, and to authorize the Insurance Commissioner to adopt regulations in consultation with the Commissioner of Consumer Protection to establish minimum standards for such security technology.

Connecticut

H.B. 6317
Status: June 23, 2015; Special Act No. 15-13
Concerns a study of cybersecurity; requires the Department of Administrative Services, in consultation with the Department of Emergency Services and Public Protection, to conduct a study examining cybersecurity issues facing the state; relates to recommendations to promote and coordinate communication between government entities, law enforcement, institutions of higher education, the private sector and the public to improve cybersecurity preparedness.

H.B. 7055
Status: May 18, 2015; Failed—Adjourned.
Establishes or extends various tax credits to incentivize investment in brownfield remediation, green technology, cybersecurity, bioscience and various start-up and small businesses.

S.B. 835
Status: March 24, 2015; Failed Joint Favorable deadline.
Concerns Cybersecurity; encourages the growth of a cybersecurity sector in Connecticut.

S.B. 949
Status: June 30, 2015; Public Act No. 15-142
Relates to data security and agency effectiveness; relates to contractor compliance with breach of confidential information procedures, a data-security program for the protection of confidential information and a report of any breach; requires the Office of Policy and Management to furnish financial accounting statements; requires any owner or licensee of computerized data to provide identity theft protection or mitigation services to victims; requires an inoperable feature on sales of smart phones.

S.B. 958
Status: July 10, 2015; Special Act No. 15-21
Establishes strategic partnerships in cybersecurity; relates to the Commissioner of Economic and Community Development; provides for an assessment of the resources in the state to support the growth of the sector; concerns the chief executive officer of Connecticut Innovations, Incorporated; relates to partners to aid in the development of the cybersecurity sector; relates to the sector including educational institutions, cybersecurity businesses and trade associations, and nonprofit organizations.

S.B. 1024
Status: Failed – Adjourned.
Concerns the security of consumer data; requires health insurers and other entities to implement security technology that encrypts the personal information of insureds and enrollees that is compiled or maintained by such insurer or entity, and to authorize the Insurance Commissioner to adopt regulations in consultation with the Commissioner of Consumer Protection to establish minimum standards for such security technology.

Georgia

H.R. 473
Status: April 2, 2015; Pending—Carryover.
Creates the Joint Study Committee on Cyber Security.

H.R. 724
Status: April 2, 2015; Pending—Carryover.
Creates the House Study Committee on Cyber Security and Privacy.

H.R. 788
Status: March 27, 2015; Pending—Carryover.
Creates the House Study Committee on Cyber Security.

S.R. 360
Status: January 11, 2016; Pending—Carryover.
Creates the Senate Data Security and Privacy Study Committee.

S.R. 412
Status: March 9, 2015; Pending; Carryover
Creates the Senate Cyber Challenge Study Committee.

Hawaii

H.B. 746
Status: May 1, 2015 Pending; Carryover
Exempts the cybersecurity, economic, education, and infrastructure security coordinator from civil service to oversee cybersecurity and cyber resiliency; establishes one secretary position in the department of defense; appropriates moneys.

H.B. 979
Status: March 12, 2015; Pending; Carryover
Relates to cybersecurity workforce development; establishes a cybersecurity employment training initiative within the University of Hawaii community college system; appropriates funds for the operation of the initiative; increases the number of qualified employees.

H.B. 1279
Status: March 12, 2015; Pending; Carryover
Establishes a statewide cybersecurity council to identify and assess critical computer infrastructure and make annual recommendations to the Legislature.

S.B. 628
Status: March 12, 2015; Pending; Carryover
Authorizes the issuance of general obligation bonds for government facilities for the state information technology and cyber security operations, sheriff division, Honolulu fire department, and Honolulu Police Department as part of the central Oahu first responders technology campus and cyber security command center.

S.B. 746
Status: March 12, 2015; Pending; Carryover
Exempts the Hawaii cybersecurity, economic, education, and infrastructure security coordinator from civil service; establishes one secretary position; appropriates moneys.

S.B. 1148
Status: March 12, 2015; Pending; Carryover
Establishes a cybersecurity employment training initiative within the University of Hawaii community college system; appropriates funds for the operation of the initiative.

Indiana

H.R. 2
Status: January 12, 2016; Passed House.
Urges the legislative council to assign to the appropriate study committee the topic of cybersecurity and the feasibility of adding cybersecurity to the commercial code for the purposes of liability insurance.

Kansas

H.B. 2010
Status: June 26, 2015; Signed by Governor
Relates to information technology audits; includes assessment of security practices and data mining of electronic records for indications of waste, fraud, abuse or noncompliance with laws or contract provisions by any state agency or entity subject to audit; includes systems development and implementation; provides for meetings and reports outside of meetings.

Maine

H.B. 102
Status: July 16, 2015; Failed.
Establishes a task force to study state and federal laws regarding online privacy and data security; requires the task force to identify policy options for the State to consider to protect consumers from identity theft and fraud when making purchases online.

Maryland

H.B. 950
Status: February 18, 2015; Failed—Adjourned.
Alters the definition of investment for the cybersecurity investment incentive tax credit to include convertible debt; defines a specified term; provides that the Act shall apply to investments made in qualified Maryland cybersecurity companies after June 30, 2015.

S.B. 351
Status: April 6, 2015; Withdrawn from further consideration.
Alters the definition of investment for the cybersecurity investment incentive tax credit to include convertible debt; defines a specified term; provides that the Act shall apply to investments made in qualified Maryland cybersecurity companies after June 30, 2015.

S.B. 542
Status: May 12, 2015; Chapter No. 358
Establishes the State Cybersecurity Council; provides for the composition, chair, and staffing of the council; prohibits a member of the council from receiving specified compensation; authorizes the reimbursement of specified expenses; requires the cCouncil to work with specified entities to take specified actions related to cybersecurity; requires the council to submit a report on its activities to the General Assembly.

S.B. 543
Status: February 20, 2015; Withdrawn from further consideration.
Establishes the Task Force on Procurement and Cybersecurity; provides for the composition, chair, and staffing of the Task Force; requires the Task Force to conduct a study and make recommendations regarding specified law, policies, procedures, and best practices that should be adopted by the state; requires the task force to submit its recommendations to the governor and specified committees of the General Assembly on or before July 1, 2018.

S.B. 544
Status: April 3, 2015; Failed—Adjourned.
Requires that the statewide information technology master plan developed by the Secretary of Information Technology include a cybersecurity framework; requires that the Secretary consider materials developed by the National Institute of Standards and Technology in developing or modifying the cybersecurity framework.

S.B. 603
Status: May 15, 2015; Enacted; Chapter No. 534
Relates to economic development, the Maryland Technology Development Corporation and the Cybersecurity Investment Fund; provides for investments and reports; relates to seed and early stage funding for emerging technology companies located in the state that are focused on cybersecurity technology product development; provide support for investments and investment earnings of the fund.

S.B. 718
Status: February 18 2015; Failed --Adjourned
Requires the statewide information technology master plan developed by the Secretary of Information Technology to include a specified policy requiring specified vendors to establish that an information technology product or piece of equipment is safe from embedded security threats.

Massachusetts

H.B. 225
Status: October 27, 2015; In Joint Committee on Consumer Protection and Professional Licensure: Heard. Eligible for Executive Session.
Protects the privacy and security of residents' biometric information.

Mississippi

H.B. 200
Status: February 25, 2015; Died in committee.
Authorizes an income tax credit for qualified Mississippi cybersecurity companies in which certain investments are made; requires qualified Mississippi cybersecurity companies to apply to the Mississippi Development Authority to establish the company's eligibility for the tax credit; prescribes the minimum requirements that must be satisfied by companies seeking the tax credit; prescribes the amount of the tax credit.

Montana
D. 686

Status: April 28, 2015; Failed; Draft died in process
Revises security standards for state held and maintained data; relates to information technology.

New Jersey

A.B. 4490
Status: June 4, 2015; Pending.
Creates the New Jersey Cybersecurity Commission; appropriates $50,000.

S.B. 808
Status: January 12, 2016; Pending.
Creates the New Jersey Cybersecurity Commission; appropriates $50,000.

S.B. 3220
Status: January 11, 2016; Chapter No. 2015-193
Establishes a process to integrate certain health data and other data from publicly supported programs for population health research; establishes a specified Governing Board and vests the board with oversight of the statewide integrated Public Health Data Project; provides for identification of certain publicly supported programs and adoption of policies for privacy and data security and retention; requires certain agencies and departments to transmit or allow access to certain data.

New Mexico

S.B. 99
Status: February 10, 2015; From Senate Committee on Corporations and Transportation: Do pass.
Relates to taxation; provides a gross receipts deduction for receipts from the sale of certain cybersecurity devices.

New York

A.B. 6130
Status: Pending.
Requires the formation of a cyber security advisory board and the implementation of a cyber security initiative.  

A.B. 6133
Status: Pending.
Requires a comprehensive review of all cyber security services to be performed every five years.

A.B. 6866
Status: Pending.
Relates to the data security act.

S.B. 3405
Status: Pending.
Relates to cyber security reports; requires a comprehensive review of all cyber security services to be performed every five years; includes a detailed assessment of each and every cyber security need of the state; includes any local government entity.

S.B. 3407
Status: Pending.
Relates to a cyber security initiative; provides legislature findings and declares that repeated cyber intrusions into critical infrastructure, effecting government, private sectors business, and citizens of the state have demonstrated the need for improved cyber security; provides that all appointed members shall have expertise in cyber security, telecommunications, internet service delivery, public protection, computer system and network.

S.B. 4887
Status: Pending.
Relates to the data security act.

North Carolina

H.B. 97
Status: September 18, 2015; Signed by Governor, S.L. 2015-241
Sec. 7.20 of S.L. 2015-241 directs the Joint Legislative Oversight Committee on Information Technology to study data security issues and liability for security breaches involving both the public and private sector.

North Dakota

S.C.R. 4012
Status: March 23, 2015; Enrolled
Directs the Legislative Management to study the privacy, security, and data sharing laws in North Dakota, the effectiveness of federal privacy, security, and data sharing laws and the laws of other states, the interaction of federal and state laws, and whether current privacy, security, and data sharing protections meet the reasonable expectations of the citizens of North Dakota.

Oregon

H.B. 3394
Status: July 6, 2015; Failed.
Establishes Task Force on Cyber Security Preparedness; directs task force to study taxation of Internet service and develop plan for implementation of tax by Jan. 1, 2019; requires report to be submitted to interim committee related to revenue no later than Sept. 15, 2016; sunsets on Dec. 31, 2016; takes effect on 91st day following adjournment sine die.  

Rhode Island

H.B. 2550
Status: July 2, 2015; Public Law No. 2015-148
Creates the Identity Theft Protection Act to protect personal information from unauthorized access, use, modification, destruction or disclosure, and to preserve the confidentiality and integrity of such information; requires agencies and other persons that store certain information to implement a risk-based information security program; provides for certain contract requirements; requires notification of breaches.

S.B. 134
Status: June 26, 2015; Public Law No. 2015-138
Creates the Identity Theft Protection Act to protect personal information from unauthorized access, use, modification, destruction or disclosure, and to preserve the confidentiality and integrity of such information; requires agencies and other persons that store certain information to implement a risk-based information security program; provides for certain contract requirements; requires notification of breaches.

South Carolina

H.B. 3226
Status: January 13, 2015; Pending
Creates the Department of Information Security to provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support state operations and assets; provides for binding regulations regarding; provides for an external audit.

Texas

S.B. 34
Status: July 8; Filed with Secretary of State. Chapter No. 369
Relates to a report concerning information security for this state's information resources, relates to security plans, provides that the department shall omit from any written copies of the report information that could expose specific vulnerabilities in the security of this state's information resources.

S.B. 35
Status: May 13, 2015; Failed-Adjourned
Relates to the acknowledgment by management of risks identified in state agency information security plans; provides that each state agency shall include in the agency's information security plan a written acknowledgment that the executive director or other head of the state agency, the chief financial officer, and each executive manager as designated by the state agency have been made aware of the risks revealed during the preparation of the agency's information security plan.

Utah

S.B. 63
Status: April 22, 2015; Chaptered. Chapter No. 427
Modifies the Insurance Code to address the Workers' Compensation Fund; addresses the powers of the fund and its subsidiaries; changes the method by which board members are selected; removes references to the Governor's Office of Economic Development; addresses compensation of board members; defines workers' compensation products and services by including services related to improved employment practices, procedures, and data security.

S.B. 255
Status: April 22, 2015; Chaptered. Chapter No. 371
Creates a Data Security Management Council to develop recommendations for data security and risk assessment; directs the council to study statewide data security issues and develop best practice recommendations.

Virginia

H.J.R. 655
Status: Failed.
Relates to study; relates to Secretary of Public Safety and Homeland Security; relates to Virginia Cyber Protection Teams; relates to report.

S.B. 1109
Status: March 16, 2015; Acts of Assembly. Chapter No. 182
Relates to open meeting exemptions; relates to discussions relating to cybersecurity; expands the open meeting exemption for the discussion of plans to protect public safety as it relates to terrorist activity or specific cybersecurity threats or vulnerabilities; relates to discussion of certain records where discussion in an open meeting would jeopardize the safety of any person or security of any facility, building, structure, information technology system or software program.

S.B. 1121
Status: March 17, 2015; Enacted; Signed by Governor; Acts of Assembly Chapter No. 261
Relates to IT responsibility of agency directors; provides that the director of every department in the Executive Branch of State government shall be responsible for securing the electronic data held by that department and shall comply with the requirements of the Commonwealth's Information Technology Security and Risk Management Program as developed by the Chief Information Officer.

S.B. 1129
Status: March 16, 2015; Acts of Assembly. Chapter No. 183
Relates to the Freedom of Information Act; relates to record exemption for public safety; relates to cybersecurity; expands the current record exemption for plans and information to prevent or respond to terrorism to include information not lawfully available to the public regarding specific cybersecurity vulnerabilities or security plans and measures of an entity, facility, network, software program, or system; contains technical amendments.

Washington

H.B. 1468
Status: Pending—Carryover.
Grants the governor authority to proclaim a state of emergency in the event of a cybersecurity incident

H.B. 1470
Status: Pending—Carryover.
Establishes a blue-ribbon panel on cybersecurity.

H.B. 1561
Status: June 28, 2015; Pending – Carryover.
Concerns the consideration of information technology security matters.

H.B. 2243
Status: Pending—Carryover.
Requires a study of incentive methods for attracting high-demand talent in information technology and cyber security to state agencies.

H.B. 2244.
Status: Pending—Carryover.
Creates the cyber security conditional loan program.

Powered By StateNet
LexisNexis General Terms and Conditions