Cybersecurity Legislation 2020

5/13/2020

cybersecurity

Cybersecurity remains a focus in state legislatures, as many propose measures to address cyberthreats directed at governments and private businesses. 

2020 Introductions

At least 38 states, Washington, D.C., and Puerto Rico introduced or considered more than 280 bills or resolutions that deal significantly with cybersecurity. Some of the areas seeing the most legislative activity include measures:

  • Requiring government agencies to implement training or specific types of security policies and practices and improving incidence response and preparedness.
  • Increasing penalties for computer crime or addressing specific crimes, e.g., ransomware.
  • Regulating cybersecurity within the insurance industry or addressing cybersecurity insurance.
  • Creating task forces, councils or commissions to study or advise on cybersecurity issues.
  • Supporting programs or incentives for cybersecurity training and education.

State appropriations for cybersecurity are listed here if they are focused on those that include specific mandates or projects to be funded. Other top cybersecurity issues include election security (see NCSL's Elections database for other types of elections security-related legislation) and cybersecurity threats to the energy infrastructure and other critical infrastructure (see NCSL's Energy Program resources more information). Other NCSL resources address related topics such as security breach laws and legislation, privacy and other issues. 

 

2020 Cybersecurity Legislation

Alaska

AK H 245
Status: Pending
Relates to the definition of disaster.

Arkansas

AR E.O. 17
Establishes the State Computer Science and Cybersecurity Task Force.

California

CA A 1376
Status: Pending
Amends veterans' preference provisions to require the Department of Human Resources to collaborate with specified state entities to establish a veterans' preference to be applied to employment opportunities within the field of cybersecurity that require a background check.

CA A 1917
Status: Pending
Makes appropriations for the support of state government for the current fiscal year.

CA A 2320
Status: Pending
Requires a contract with a contractor doing business with a state agency to require that the contractor maintain cyber insurance if the contractor receives or has access to records containing personal information protected under the Information Practices Act.

CA A 2326
Status: Pending
States the intent of the legislature to enact future legislation relating to school cybersecurity.

CA A 2507
Status: Pending
Adds the Development of General Services as one of the organizations whose representatives comprise the Cybersecurity Integration Center.

CA A 2564
Status: Pending
States the intent of the legislature to enact legislation to improve the security of information technology systems and connected devices by requiring public agencies and businesses to develop security vulnerability disclosure policies.

CA A 2669
Status: Pending
States the intent of the legislature to enact legislation relating to state information security programs.

CA A 3276
Status: Pending
Expresses the intent of the legislature to enact subsequent legislation that would require every school district in the state to conduct an information technology cybersecurity assessment.

CA S 239
Status: Pending
Requires the prosecution for a felony violation of certain crimes to be commenced within three years after discovery of the commission of the offense.

CA S 922
Status: Pending
Requires the prosecution for a felony violation of specified computer-related crimes, including introducing ransomware into a computer with intent to extort property from another, to be commenced within three years after discovery of the commission of the offense.

CA S 1218
Status: Pending
Requires the commission to adopt inspection, detection, response, and replacement standards, and to adopt rules, to address the cybersecurity risks to the transmission and distribution systems of electrical corporations, electrical cooperatives, and gas corporations, and would require the standards or rules to provide for secure and reliable service.

Connecticut

CT H 5430
Status: Pending
Makes clear that computer crimes include attacks that involve any computer, computer network or computer software that is owned, leased or licensed by a financial institution, and targeted at the money, property or personal information of customers that is being held by a financial institution in connection with a loan or deposit account, or in a fiduciary, trust or custodial capacity.

CT H 5511
Status: Pending
Requires that the Commissioner of Emergency Services and Public Protection analyze municipal cybersecurity needs throughout the state and determine the feasibility of the Department of Emergency Services and Public Protection providing individualized assistance to municipalities most at risk of suffering cybersecurity attacks.

CT S 235
Status: Pending
Establishes a cybersecurity task force.

Florida

FL H 821
Status: To Governor
Relates to public records and meetings, revises a provision to reflect the abolishment of the Agency for State Technology, provides an exemption from public records requirements for portions of records held by a state agency that contain network schematics, hardware and software configurations and encryption, provides an exemption from public meetings requirements for portions of meetings that would reveal such records.

FL H 865
Status: Failed
Relates to emergency reporting, requires a county or municipality to report certain incidents to the State Watch Office within the Division of Emergency Management, authorizes the division to establish guidelines to specify additional information that must be provided by a reporting county or municipality.

FL HM 525
Status: Failed
Urges Congress to support the State Cyber Resiliency Act and to direct the United States Department of Homeland Security to administer state and local cybersecurity grants.

FL H 4007
Status: Failed--adjourned
Provides an appropriation for the West Palm Beach Supervisory Control and Data Acquisition (SCADA) Cybersecurity Technology Upgrades.

FL H 5001
Status: To Governor
Relates to General Appropriations Act, provides moneys for annual period beginning on a specified date, and ending on a specified date, and supplemental appropriations for period ending on a specified date, to pay salaries and other expenses, capital outlay-buildings and other improvements, and for other specified purposes of various agencies of state government, includes funding for certain coronavirus response items.

FL H 5003
Status: Failed--adjourned
Relates to Implementing the 2020-2021 General Appropriations Act, implements specified appropriations of the General Appropriations Act for 2020-2021 fiscal year.

FL S 1170
Status: Failed
Revises a provision to reflect the abolishment of the Agency for State Technology, provides an exemption from public records requirements for portions of records held by a state agency which contain network schematics, hardware and software configurations, or encryption, provides an exemption from public meetings requirements for portions of meetings which would reveal certain records.

Georgia

GA H 641
Status: Pending
Relates to general provisions regarding the Georgia Bureau of Investigation, so as to grant the Georgia Bureau of Investigation Powers and duties to identify and investigate violations of Article 6 of Chapter 9 of Title 16 of the Official Code of Georgia Annotated, the Georgia Computer Systems Protection Act, and other computer crimes, provides for subpoena power by the bureau for such investigations, provides for related matters, repeals conflicting laws.

GA H 792
Status: Enacted
Utilizes funds from the Revenue Shortfall Reserve and matches federal funds for coronavirus preparedness and response efforts and to enhance cybersecurity technology.

GA H 862
Status: Pending
Relates to the Georgia Bureau of Investigation, so as to provide for the establishment of a Cybersecurity Task Force, provides for its membership, powers and duties, reports and recommendations and dissolution, provides for definitions, provides for related matters, repeals conflicting laws.

GA H 1004
Status: Pending
Relates to imposition, rate, and computation and exemptions regarding income taxes, provide for income tax credits for higher education for the Fort Gordon Cyber Security and Information Technology Innovation Corridor and the Savannah Logistics Technology Innovation Corridor, provides for definitions, provides for applicability and eligibility, provides for limitations, provides for related matters, repeals conflicting laws.

GA H 1049
Status: Pending
Facilitates the sharing of information and reporting of cyberattacks, requires governmental agencies and utilities to report any cyberattacks to the director of emergency management and homeland security, provides for the director to promulgate certain rules and regulations, provides for proceedings related to cybersecurity to be held in executive session, provides for certain information, data, and reports related to cybersecurity and cyberattacks to be exempt from public disclosure and inspection.

GA H 1133
Status: Pending
Relates to general provisions of state government so as to prohibit state agencies from paying ransoms in response to cyber attacks, provides for a definition, provides for related matters, provides for an effective date, repeals conflicting laws.

GA HR 1093
Status: Pending
Creates the House Study Committee on Cybersecurity.

GA S 21
Status: Pending
Relates to competencies and core curriculum, requires each local board of education to prescribe mandatory instruction concerning cybersecurity in every year in every grade from kindergarten through 12, provides for a definition, requires the State Board of Education to prescribe a minimum course of study in cybersecurity, provides for duties of the state school superintendent.

GA S 493
Status: Pending
Relates to selling and other trade practices, provides for legislative findings, provides standards for cybersecurity programs to protect businesses from liability, provides for affirmative defenses for data breaches of private information, provides for related matters, provides for an effective date, repeals conflicting laws.

GA  E.O. 182
Reconstitutes the State Government Systems Cybersecurity Board and mandating cybersecurity training.

Hawaii

HI H 1553
Status: Pending
Establishes the State Fusion Center as a program under the Office of Homeland Security and establishes the state-funded position of State Fusion Center Director to manage the daily operations of the center.

HI H 1685
Status: Pending
Establishes an income tax credit for investment in qualified businesses that develop cybersecurity and artificial intelligence.

HI H 2134
Status: Pending
(Short Form Bill) Relates to cybersecurity.

HI H 2333
Status: Pending
Establishes the State Fusion Center as a program under the Office of Homeland Security, establishes the position of State Fusion Center Director who shall be state-funded, responsible to the director of Homeland Security, and accountable to manage the operations of the center.

HI S 2889
Status: Pending
(Governor Package) Establishes the Hawaii State Fusion Center as a program under the Office of Homeland Security and establishes the position of Hawaii State Fusion Center director who shall be state-funded, responsible to the director of Homeland Security, and accountable to manage the operations of the center.

Iowa

IA D 1175
Status: Pending
Relates to secretary of state, elections technical bill.

IA D 5247
Status: Pending
Relates to cybercrime investigation bureau.

IA H 39
Status: Pending
Relates to student data collection by the Department of Education, school districts and accredited nonpublic schools.

IA H 2250
Status: Pending
Relates to election systems security.

IA H 2568
Status: Pending
Establishes a cybercrime investigation unit in the department of public safety to investigate crimes with a nexus to the internet or computer technology including crimes involving child exploitation and cyber intrusion.

IA HSB 49
Status: Pending
Relates to the administration of elections, provides penalties, includes effective date provisions.

IA HSB 616
Status: Pending
Establishes a cybercrime investigation division in the Department of Public Safety to investigate crimes with a nexus to the internet or computer technology including crimes involving child exploitation and cyber intrusion.

IA S 204
Status: Pending
Provides for an affirmative defense to certain claims relating to personal information security breach protection.

IA S 575
Status: Pending
Relates to the conduct of state and local elections, provides penalties, includes effective date provisions.

IA S 2073
Status: Pending
Provides for an affirmative defense to certain claims relating to personal information security breach protection.

IA S 2080
Status: Pending
Prohibits the state and political subdivisions of the state from exStatus: Pending public money for payment to persons responsible for ransomware attacks.

IA S 2252
Status: Pending
Provides for an affirmative defense to certain claims relating to personal information security breach protection.

IA S 2390
Status: Pending
Establishes a cybercrime investigation unit within the Department of Public Safety to investigate crimes with a nexus to the internet or computer technology including crimes involving child exploitation and cyber intrusion.

IA S 2391
Status: Pending
Prohibits the state and political subdivisions of the state from exStatus: Pending public money for payment to persons responsible for ransomware attacks.

IA SSB 1078
Status: Pending
Relates to the administration of elections.

IA SSB 1241
Status: Pending
Relates to the conduct of state and local elections, provides penalties.

IA SSB 3010
Status: Pending
Establishes a cybercrime investigation, requires the Department of Public Safety to investigate crimes with a nexus to the internet or computer technology including crimes involving child exploitation and cyber intrusion.

Illinois

IL H 2829
Status: Pending
Creates the Financial Institution Cybersecurity Act, provides that persons and entities operating under the authority of the secretary of Financial and Professional Regulation under the Banking Act, Insurance Code, Savings Bank Act, Credit Union Act, Corporate Fiduciary Act, and Residential Mortgage License Act must maintain a cybersecurity program to protect the confidentiality of their information system.

IL H 3017
Status: Pending
Creates the Veterans Cyber Academy Pilot Program Act, provides that the Department of Veterans' Affairs shall establish and implement a pilot program to provide veterans residing in the state with access to cybersecurity training, certification, apprenticeships, and additional resources to enter the cybersecurity field of work, provides that the pilot program shall run from Jan. 1, 2021, to Dec. 31, 2023, provides specified requirements to the department in implementing the pilot program.

IL H 3391
Status: Pending
Creates the Security of Connected Devices Act, requires manufacturers of connected devices to equip the device with security features that are designed to protect the device and any information the device contains from unauthorized access, destruction, use, modification or disclosure.

IL H 3934
Status: Pending
Amends the Emergency Management Agency Act, provides that a disaster includes a cyberattack, directs the governor, to the greatest extent practicable, to delegate or assign command authority to the director of the Emergency Management Agency by orders issued at the time of a disaster.

IL H 4418
Status: Pending
Amends the Election Code, requires the State Board of Elections, in consultation with the Department of Innovation and Technology, to study and evaluate the use of blockchain technology to protect voter records and election results with the assistance of specified experts, requires the board to submit a report on the use of blockchain technology to the governor and General Assembly, repeals the provisions on Jan. 1, 2023.

IL H 4443
Status: Pending
Amends the Freedom of Information Act, modifies the exemptions from inspection and copying concerning cybersecurity vulnerabilities, amends the Department of Innovation and Technology Act, authorizes the Department of Innovation and Technology to accept grants and donations, creates the Technology, Education and Cybersecurity Fund as a special fund in the state treasury to be used by the Department of Innovation and Technology to promote and effectuate information technology activities.

IL H 4444
Status: Pending
Amends the Freedom of Information Act, modifies the exemptions from inspection and copying concerning cybersecurity vulnerabilities, amends the Department of Innovation and Technology Act, authorizes the Department of Innovation and Technology to accept grants and donations, creates the Technology, Education and Cybersecurity Fund as a special fund in the state treasury to be used by the Department of Innovation and Technology to promote and effectuate information technology activities.

IL H 4559
Status: Pending
Amends the Freedom of Information Act, exempts from the Act records that are designed to detect, defend against, prevent or respond to potential cyber-attacks on elections and voter registration held by the State Board of Elections, the Department of Innovation and Technology, election authorities and other necessary parties, amends the Election Code, combines changes made by two Public Acts regarding cybersecurity efforts, changes references to the Help America Vote Act.

IL H 5204
Status: Pending
Creates the Cybersecurity Compliance Act, defines terms, creates an affirmative defense for every covered entity that creates, maintains and complies with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of either personal information or both personal information and restricted information and that reasonably conforms to an industry-recognized cybersecurity framework, prescribes requirements for the cybersecurity program.

IL H 5396
Status: Pending
Amends the Emergency Management Agency Act, provides that a cyberattack is a disaster.

IL H 5397
Status: Pending
Creates the Insurance Data Security Act, requires any person licensed, authorized to operate, or registered as an insurer in accordance with the insurance laws of this state to conduct a risk assessment of cybersecurity threats, implement appropriate security measures, and no less than annually assess the effectiveness of the safeguards' key controls, systems and procedures, requires a licensee to develop, implement and maintain a written information security program based on the licensee's risk.

IL H 5398
Status: Pending
Creates the Cyber Reserve Act, establishes the Cyber Reserve, to be administered by the Emergency Management Agency, in order to deploy volunteers upon the occurrence of a cybersecurity incident, contains provisions regarding volunteer requirements, criminal history checks, and civil liability, requires volunteers to provide assistance for six years from the time of deployment or for the time required under the agency's record retention policies, whichever is longer.

IL H 5399
Status: Pending
Amends the Information Security Improvement Act, provides that no state agency shall use any software platform developed, in whole or in part, by Kaspersky Lab or any entity of which Kaspersky Lab Holds majority ownership, provides that the Department of Innovation and Technology shall adopt rules as necessary to implement the provisions, provides legislative findings.

IL HJR 1
Status: Pending
Extends the sunset date of the operation of the Cybersecurity Task Force, reconstitutes the focus and membership of the Task Force.

IL HJR 2
Status: Pending
Creates the Return Illinois To Prosperity Commission to review and evaluate the creation of a State Bank, provides that the mission of a State Bank would include supporting economic development by increasing access to capital for agriculture, businesses, and industry and providing stability to the local financial sector.

IL HJR 108
Status: Pending
Urges the State Board of Education, by the 2020-2021 school year, to establish a P12 Cyber Threat Response Team within the State Board of Education to provide assistance to public schools, early childhood providers, and special education facilities across the state when faced with a cybersecurity threat.

IL S 240
Status: Pending
Creates the Consumer Credit Reporting Agency Registration and Cybersecurity Program Act, provides for requirements for consumer credit reporting agency registration, contains provisions regarding grounds for revocation and suspension of a registration, provides that by a certain date, a consumer credit reporting agency must have a cybersecurity program documented in writing and designed to protect the confidentiality, integrity and availability of its information systems.

IL S 1622
Status: Pending
Amends the Election Code, provides that no voting machine used, adopted or purchased by an election authority may be made, manufactured or assembled outside the United States or constructed with parts made, manufactured or assembled outside the United States, including, but not limited to, any hardware or software, provides that, in provisions concerning voting machines, precinct tabulation optical scan technology voting systems, and direct recording electronic voting systems,

IL S 1719
Status: Pending
Creates the Keep Internet Devices Safe Act, provides that a digital device is an internet-connected device that contains a microphone, provides that no private entity may turn on or enable a digital device's microphone unless the registered owner or person configuring the device is provided certain notices in a consumer agreement, provides that a manufacturer of a digital device that does not cause to be turned on or otherwise use a digital device's microphone is not subject to the restrictions on its use.

IL S 1863
Status: Pending
Amends the Freedom of Information Act, exempts from disclosure risk and vulnerability assessments, security measures, schedules, certifications, and response policies or plans that are designed to detect, defend against, prevent or respond to potential cyberattacks upon the state's or an election authority's network systems, or records that the disclosure of which would, in any way, constitute a risk to the proper administration of elections or voter registration.

IL S 2778
Status: Pending
Amends the Emergency Management Agency Act, provides that a cyberattack is a disaster, requires the governor to delegate or assign authority to the director of the Emergency Management Agency to manage, coordinate and direct all resources by orders issued at the time of a disaster.

IL S 3518
Status: Pending
Amends the Freedom of Information Act, modifies the exemptions from inspection and copying concerning cybersecurity vulnerabilities, amends the Department of Innovation and Technology Act, authorizes the Department of Innovation and Technology to accept grants and donations, creates the Technology, Education and Cybersecurity Fund as a special fund in the state treasury to be used by the Department of Innovation and Technology to promote and effectuate information technology activities.

Indiana

IN H 1240
Status: Failed--adjourned
Relates to cybersecurity training program, provides that the Department of Homeland Security Division of Preparedness and Training, with the assistance of other certain entities, shall create and implement mandatory cybersecurity training courses for all individuals elected to a county office, and newly elected individuals to a county office, provides that a training course shall include activities, case studies, hypothetical situations, and other methods that focus on forming information security habits.

IN H 1372
Status: Enacted
Adopts the insurance data security model law, which requires certain holders of an insurance license, authority, or registration to maintain an information security program and meet other requirements. Establishes an affirmative defense to a tort civil action for a licensee that satisfies the requirements of the insurance data security model law.

IN HR 42
Status: Adopted
Urges the Legislative Council to assign to an appropriate study committee the topic of the potential dangers of cyberhacking and ransomware attacks on state and local governments as well as the creation of a specialized Cyber-Technical Assistance Program at Purdue University.

IN S 179
Status: Enacted
Relates to election cybersecurity, requires counties to enter into an agreement with the secretary of state to use a threat intelligence and enterprise security company for specified security purposes, requires certain proficiency standards for personnel qualified to access the statewide voter registration system, requires applicants for certification of voting systems and electronic poll books to include specified information.

IN S 240
Status: Failed--adjourned
Relates to cybersecurity requirements for insurers, requires an insurer to develop, maintain and update an information security program for the purpose of protecting consumers nonpublic information, conduct a risk assessment of its information systems to aid in the development of an information security program, notify the insurance commissioner if a cybersecurity event affecting the nonpublic information of 250 or more consumers occurs, and develop an incident response plan to respond to cybersecurity.

IN S 334
Status: Enacted
Allows the secretary of state and election division to assist a prosecuting attorney in prosecuting certain actions and allow the use of an attorney retained by the secretary of state or election division, requires boards of elections and registration to attend election security meetings called by the election division, changes the time frame in which a voter list maintenance program must be conducted for certain special elections.

IN S 380
Status: Failed--adjourned
Relates to election board incident response plan, provides that a county election board shall adopt a county election incident response plan that includes at least a plan for the physical security of all voting systems, electronic poll books, and any other election equipment under the control of the board, a response plan to any natural disaster that occurs in the county and affects the ability of the board to conduct an election in the county, a response plan to any medical or manmade emergency occurrence.

IN SR 13
Status: Adopted
Relates to legislative council to assign the topic of the potential dangers of cyberhacking in state government specifically the use of ransomware, urges the legislative council to assign to an appropriate study committee the topic of the potential dangers of cyberhacking in state government, specifically the use of ransomware.

Kansas

KS S 454
Status: Pending
Creates exemptions in the Open Records Act for election security records and cybersecurity records.

Louisiana

LA H 398
Status: Pending
(Constitutional Amendment) Establishes the State Cybersecurity and Information Technology Fund, dedicates revenues to the fund.

LA H 412
Status: Pending
Expands the authorized uses of monies in the State Emergency Response Fund.

LA H 478
Status: Pending
Establishes the State Cybersecurity and Information Technology Fund, dedicates revenues to the fund.

LA H 614
Status: Pending
Provides relative to data security for persons regulated by the commissioner of insurance.

LA H 633
Status: Pending
Provides for the mandatory training in cybersecurity awareness for all state and local employees, officials and contractors.

LA H 636
Status: Pending
Creates and provides for the Joint Legislative Committee on Technology and Cybersecurity.

LA H 751
Status: Pending
Makes revisions to the Election Code.

LA S 79
Status: Pending
Creates the Cybersecurity Talent Initiative Fund for the purpose of funding degree and certificate programs in cybersecurity Fields and the Cybersecurity Education Management Council to advise relative to the fund.

LA S 140
Status: Pending
Requires certain offices to report cyber incidents to the secretary of state.

LA S 398
Status: Pending
Provides for qualifications of volunteers to cyber response and recovery support efforts with the Governor's Office of Homeland Security and Emergency Preparedness.

LA SCR 10
Status: Pending
Establishes and provides for the Cyber Investigators Alliance.

Massachusetts

MA H 223
Status: Pending
Relates to the security of personal financial information.

MA H 287
Status: Pending
Protects the privacy and security of biometric information.

MA H 2690
Status: Pending
Establishes a task force to study the need for increased cybersecurity within government agencies.

MA H 2692
Status: Pending
Relates to cybersecurity standards in state contracts or procurements.

MA H 2728
Status: Pending
Provides that state agencies procuring information technology goods or services give preference to vendors that carry cybersecurity insurance.

MA H 3763
Status: Pending
Provides for convenient voting for military personnel, their families and civilians stationed or working abroad.

MA S 315
Status: Pending
Relates to cybersecurity education in schools.

MA S 1822
Status: Pending
Relates to cybersecurity insurance preference in state contracts.

MA S 1887
Status: Pending
Establishes a Cybersecurity Control and Review Commission.

MA S 2056
Status: Pending
Relates to the cybersecurity of internet-connected devices and autonomous vehicles.

Maryland

MD H 45
Status: To Governor
Alters the terms relating to eligibility for benefits under the More Jobs for Marylanders and Opportunity Zone Enhancement programs, alters the taxable years for which enhancements under the Opportunity Zone Enhancement Program are applicable, requires the Department of Commerce to publish information about the Program on its website, limits eligibility of Program benefits to investments in newly established biotechnology and cybersecurity companies.

MD H 176
Status: Pending
Authorizes a public agency in St. Mary's County to meet in a closed session to consider the investment of public funds, to consult with counsel for legal advice, and, under certain circumstances, to discuss certain cybersecurity matters.

MD H 215
Status: Pending
Prohibits a person from knowingly possessing certain ransomware with the intent to use that ransomware for introduction into the computer, computer network, or computer system of another person without the authorization of the other person. Establishes penalties.

MD H 235
Status: Pending
Requires the secretary of information technology, in consultation with the attorney general, to advise and oversee a consistent cybersecurity strategy for units of state government, including institutions under the control of the governing boards of public institutions of higher education, counties, school districts, municipal corporations, and other political subdivisions of the state, requires the secretary to advise and consult with the legislative and judicial branches regarding cybersecurity.

MD H 237
Status: Failed-adjourned
Requires a business that maintains personal information of an individual residing in the State to implement and maintain certain security procedures and practices; alters the circumstances under which the owner or licensee of certain computerized data is required to notify certain individuals of a certain breach; alters the time periods within which certain notifications regarding the breach of a security system are required to be given.

MD H 274
Status: Pending
Requires a financial institution that requires a customer to provide an answer to a security question for a certain purpose to allow a customer to choose from at least two options for each required security question, prohibits a financial institution from using a customer's mother's maiden name as a means of safeguarding access to the customer's account.

MD H 392
Status: Pending
Prohibits the State Board of Elections from approving a contract with an election service provider unless the contract includes a clause requiring the election service provider to report to the state administrator of elections if any stage in the manufacturing of a component of the provider's election system occurred outside the United States, alters the circumstances under which the State Board is prohibited from certifying a voting system.

MD H 635
Status: Pending
Prohibits a person from knowingly possessing certain malware or ransomware with the intent to use that malware or ransomware for the purpose of introduction into a computer, computer network, or computer system of another person without the authorization of the other person, creates a certain exception, establishes a certain penalty.

MD H 888
Status: Pending
Requires the manufacturer of a connected device to equip the device with a certain reasonable security feature, provides that a security feature for a connected device is reasonable if the connected device is equipped with a certain means for authentication, provides that a violation of the act is an unfair, abusive, or deceptive trade practice within the meaning of the Maryland Consumer Protection Act and is subject to certain enforcement and penalty provisions.

MD H 996
Status: Pending
Requires the Department of Information Technology, in consultation with the Maryland Cybersecurity Council, to establish a Cybersecurity Response Team, sets forth the duties of the Cybersecurity Response Team, alters the purposes of the 9-1-1 Trust Fund, requires the comptroller to disperse certain funds from the 9-1-1 Trust Fund to certain local jurisdictions for a certain purpose.

MD H 1183
Status: Pending
Codifies the establishment of the Office of Security Management within the Department of Information Technology, the position of State Chief Information Security Officer, and the Maryland Cybersecurity Coordinating Council, alters the membership of the council, requires each unit of the legislative or judicial branch of state government that uses a certain network to certify certain compliance to the department on or before a specific date each year.

MD H 1580
Status: Pending
Requires the secretary of budget and management, in partnership with the secretary of information technology and the state chief information security officer, to establish certain minimum qualifications for skilled service and professional service classes of state employees in the information technology and cybersecurity fields, requires the secretary of budget and management to revise the standards for position selection plans for certain classifications of state employees in certain fields.

MD H 1588
Status: Pending
Requires the secretary of information technology to conduct a risk assessment of any major information technology development project the secretary believes may present an exceptional risk to the state, requires the risk assessment to consider the nature, processing, and use of sensitive or personally identifiable information, authorizes the secretary to recommend an increase in a certain limitation of liability amount under certain circumstances, requires a certain recommendation to be made.

MD H 1618
Status: Pending
Establishes the Cybersecurity Coordination and Operations Office within the Emergency Management Agency to help improve statewide cybersecurity readiness and response, requires the director of MEMA to appoint an executive director as head of the office, requires the office to be provided with sufficient staff to perform the office's functions, requires the office to establish regional assistance groups to deliver or coordinate support services to political subdivisions and agencies.

MD S 5
Status: Pending
Establishes the Maryland Cyber Reserve within the Military Department, provides that the organized militia of the state includes the reserve, provides the governor is the commander-in-chief of the reserve.

MD S 30
Status: Pending
Relates to crimes involving computers.

MD S 47
Status: To Governor
Requires the Commission to Advance Next Generation 911 Across Maryland to report findings and recommendations to the Governor and the General Assembly on or before a certain date.

MD S 120
Status: Failed
Relates to Cybeesecurity, relates to the Department of Information Technology.

MD S 120
Status: Failed
Relates to cybersecurity, relates to the Department of Information Technology.

MD S 160
Status: Failed--adjourned
Requires a financial institution that requires a customer to provide an answer to a security question for a certain purpose to allow a customer to choose from at least two options for each required security question, prohibits a financial institution from using a customer's mother's maiden name as a means of safeguarding access to the customer's account.

MD A 201
Status: Failed--adjourned
Requires a business that maintains personal information of an individual residing in the State to implement and maintain certain security procedures and practices; alters the circumstances under which the owner or licensee of certain computerized data is required to notify certain individuals of a certain breach; alters the time periods within which certain notifications regarding the breach of a security system are required to be given.

MD S 588
Status: Failed--adjourned
Excludes the University System of Maryland from certain provisions of law governing protection of information by government agencies, requires the University System of Maryland to review and designate certain systems as systems of record based on certain criteria and to develop and adopt a certain privacy governance program to govern each system of record.

MD S 724
Status: Failed--adjourned
Requires the secretary of budget and management, in partnership with the secretary of information technology and the state chief information security officer, to establish certain minimum qualifications for skilled service and professional service classes of state employees in the information technology and cybersecurity fields.

MD S 820
Status: Failed--adjourned
Requires a supplier of water to inspect certain valves in a public water system in a certain manner, repair or replace valves, inspect fire hydrants, formulate and implement a plan, identify the locations of valves, and record characteristics and identifiers of certain valves, requires a supplier of water to develop a certain cybersecurity program by a specified date.

MD S 936
Status: Failed--adjourned
Requires the state administrator of elections to exercise disciplinary authority over the local election directors for noncompliance with state rules, regulations and policies, requires a local board of elections to notify the state administrator in writing after becoming aware of a certain security violation or a certain significant attempted security violation involving an election system.

MD S 1036
Status: Failed--adjourned
Establishes the Cybersecurity Coordination and Operations Office within the Maryland Emergency Management Agency to help improve statewide cybersecurity readiness and response, requires the director of MEMA to appoint an executive director as head of the office, requires the office to be provided with sufficient staff to perform the office's functions, requires the office to establish regional assistance groups to deliver or coordinate support services to political subdivisions, agencies.

MD S 1049
Status: Failed--adjourned
Establishes the Cybersecurity Talent Pipeline Management Program to provide funds to a certain collaborative, defines "collaborative" as commitments of partnership between at least two cybersecurity organizations to improve the state's cybersecurity workforce needs, as per a signed agreement, authorizes the program to award only one competitive matching grant in the first year, requires the governor, in fiscal years 2022 through 2024, to include in the annual budget bill an appropriation.

Maine

ME S 697
Status: Pending
Enacts the state Insurance Data Security Act, establishes standards for information security programs based on ongoing risk assessment for protecting consumers' personal information, establishes requirements for the investigation of and notification to the superintendent of insurance regarding cybersecurity events.

Michigan

MI H 4348
Status: Pending
Provides executive recommendation for omnibus bill.

MI H 5426
Status: Pending
Modifies Michigan Cyber Civilian Corps Act.

MI H 5427
Status: Pending
Modifies Michigan Cyber Civilian Corps Advisory Board duties.

MI H 5554
Status: Pending
Provides for omnibus budget.

MI S 205
Status: Pending
Provides executive recommendation for omnibus bill.

Minnesota

MN H 14
Status: Pending
Relates to elections, transfers and appropriates money for purposes of the Help America Vote Act, improves the administration and security of elections as authorized by federal law, including but not limited to modernizing, securing and updating the statewide voter registration system and for cybersecurity upgrades as authorized by federal law, improving accessibility, preparing training materials and training local election officials.

MN H 17
Status: Pending
Appropriates money from the Help America Vote Act account for certain authorized purposes, provides for the purposes of modernizing, securing and updating the statewide voter registration system and for cybersecurity upgrades as authorized by federal law.

MN H 102
Status: Pending
Relates to public safety, expands crime of unauthorized computer access to include accessing a computer without penetrating security system.

MN H 1833
Status: Pending
Modifies and establishes various provisions governing energy policy and finance, strengthens requirements for clean energy and energy conservation in the state, appropriates money, requires reports.

MN H 1949
Status: Pending
Relates to state government, requires consideration of cloud computing service options in state agency information technology projects, requires technology infrastructure inventories and security risk assessments, requires completion of the consolidation of information technology services and a strategic work plan, requires a consolidation surcharge for certain agencies, mandates reports, defines terms.

MN H 2087
Status: Pending
Relates to the operation of state government, appropriates money for the legislature, the governor's office, state auditor, attorney general, secretary of state, certain agencies, boards and councils, changes provisions for administrative law judge salaries, revolving loan fund, cemeteries and MERF.

MN H 2524
Status: Pending
Relates to the secretary of state, creates a technology and cybersecurity account, provides for technology and cybersecurity maintenance.

MN H 2721
Status: Pending
Relates to state government, establishes a Legislative Commission on Cybersecurity, provides legislative appointments.

MN H 2743
Status: Pending
Relates to courts, increases certain court-related fees, establishes a cybersecurity fee.

MN H 3842
Status: Pending
Relates to insurance, establishes an Insurance Data Security Law.

MN H 4084
Status: Pending
Relates to elections, provides for election technology and cybersecurity assessment, maintenance and enhancement, requires certain election security notifications.

MN H 4351
Status: Pending
Relates to elections; creates a technology and cybersecurity account; provides for technology and cybersecurity maintenance; requires election day registrants to cast provisional ballots; amends the process to register to vote in conjunction with submitting an absentee ballot; provides a penalty; makes conforming changes; appropriates money.

MN H 4536
Status: Pending
Relates to state government, establishes a Legislative Commission on Cybersecurity, provides legislative appointments.

MN H 4540
Status: Pending
Relates to public safety, modifies certain provisions relating to sexual assault examination kits, background checks, and the Board of Public Defense, appropriates money for the Supreme Court, corrections, sentencing guidelines, and public safety, transfers funds to a disaster contingency account.

MN S 1264
Status: Pending
Relates to state government, establishes a Legislative Commission on Cybersecurity, provides legislative appointments.

MN S 2097
Status: Pending
Relates to state government, requires consideration of cloud computing service options in state agency information technology projects, requires technology infrastructure inventories and security risk assessments, requires completion of the consolidation of information technology services and a strategic work plan, requires a consolidation surcharge for certain agencies, mandates reports.

MN S 2227
Status: Pending
Relates to the operation of the state government, appropriates money for the legislature, governor's office, state auditor, attorney general, secretary of state, certain agencies, boards, councils and retirement funds, changes provisions in state government operations, establishes commissions and task forces, repeals state aid to PERA General for MERF, establishes observances for veterans and allies.

MN S 2726
Status: Pending
Relates to the operation of state government, appropriates money for the legislature, governor's office, state auditor, attorney general, secretary of state, certain agencies, boards and councils, changes provisions for administrative law judge salaries, revolving loan fund, cemeteries and MERF.

MN S 2845
Status: Pending
Relates to state government, requirements for state information technology security.

MN S 3275
Status: Pending
Relates to elections, creates a technology and cybersecurity account, provides for technology and cybersecurity maintenance, requires Election Day registrants to cast provisional ballots, amends the process to register to vote in conjunction with submitting an absentee ballot, provides a penalty, makes conforming changes, appropriates money.

MN S 3548
Status: Pending
Relates to elections, transfers and appropriates money for purposes of the Help America Vote Act.

MN S 3629
Status: Pending
Relates to education, increases safe schools revenue, requires a report, appropriates money.

MN S 4269
Status: Pending
Relates to insurance, establishes an Insurance Data Security Law.

MN S 4530
Status: Pending
Relates to public safety, modifies certain provisions relating to sexual assault examination kits, background checks, and Board of Public Defense, appropriates money for the supreme court, corrections, sentencing guidelines, and public safety, transfers funds to disaster contingency account.

Missouri

MO H 2050
Status: Pending
Requires that the comprehensive state energy plan be reviewed by the Division of Energy by Jan. 1, 2022, and biennially thereafter, and updated if necessary.

MO H 2120
Status: Pending
Establishes provisions relating to water safety and security.

MO S 688
Status: Pending
Requires that the comprehensive state energy plan be reviewed by the Division of Energy by a specified date, and biennially thereafter, and updated if necessary.

Mississippi

MS H 1165
Status: Pending
Authorizes and directs the State Department of Education to implement a mandatory K-12 computer science curriculum based on the state college and career readiness standards for computer science which includes instruction in, but not limited to, computational thinking, cyber-related, programming, cybersecurity, data science, robotics, and other computer science and cyber-related content, prescribes minimum components of the curriculum at each grade level, provides for teacher training as needed.

MS S 2284
Status: Failed
Authorizes and directs the Mississippi Department of Education to implement a mandatory K-12 computer science curriculum based on the Mississippi College and Career Readiness Standards for Computer Science which includes instruction in, but not limited to, computational thinking, cyber-related, programming, cybersecurity, data science, robotics, and other computer science and cyber-related content, prescribes minimum components of the curriculum at each grade level.

MS E.O. 20
Creates a Task Force on State Cybersecurity; directs the Task Force to develop recommendations and proposals to identify vulnerabilities of systems, staffing, training and technologies with state agencies.

North Carolina

NC H 911
Status: Pending—Carryover
Directs the Department of Information Technology to study and assess the threat of foreign technologies in state-owned computer systems.

Nebraska

NE L 351
Status: Pending
Provides for school district levy and bonding authority for cybersecurity and violence prevention.

New Hampshire

NH H 1259
Status: Pending
Exempts statewide standards and protocols relative to information technology, networks, telephony and cybersecurity developed by the Department of Information Technology in consultation with the Information Technology Council.

NH LSR 570
Status: Pending
Relates to review and adoption of school data security plans.

NH LSR 923
Status: Pending
Relates to the insurance data security law.

NH LSR 2812
Status: Pending
Relates to minimal cybersecurity standards for municipalities.

NH S 694
Status: Pending
Requires the department of information technology to adopt minimum cybersecurity standards for political subdivisions, requires political subdivisions to self report their level of adherence to the standards, makes appropriations to the department of information technology.

New Jersey

NJ A 442
Status: Pending
Requires public institutions of higher education to establish plans concerning cybersecurity and prevention of cyberattacks.

NJ A 1378
Status: Pending
Directs New Jersey Cybersecurity and Communications Integration Cell to develop cybersecurity prevention best practices and awareness materials for consumers in this state.

NJ A 1396
Status: Pending
Concerns information security standards and guidelines for state and local government.

NJ A 1654
Status: Pending
Requires state, county and municipal employees and certain state contractors to complete cybersecurity awareness training.

NJ A 2083
Status: Pending
Establishes the crime of cyber interference, defined as tampering or interfering with any software, computer, cellphone or any other electronic device, with the purpose to harass another.

NJ A 2852
Status: Pending
Directs state Cybersecurity and Communications Integration Cell, Office of Information Technology, and state Big Data Alliance to develop advanced cyber-infrastructure strategic plan.

NJ A 3684
Status: Pending
Requires state employees to receive best cybersecurity practices.

NJ A 3834
Status: Pending
Concerns debarment of contractors for conviction of certain computer-related crimes.

NJ AJR 40
Status: Pending
Urges secretary of state to assure legislature and public that State's electoral system is protected from foreign computer hackers.

NJ AJR 66
Status: Pending
Establishes Technology Task Force.

NJ AJR 153
Status: Pending
Designates October of each year as Cyber Security Awareness Month.

NJ S 343
Status: Pending
Directs the state Cybersecurity and Communications Integration Cell, Office of Information Technology, and the state Big Data Alliance to develop an advanced cyber-infrastructure strategic plan.

NJ S 647
Status: Pending
Revises cybersecurity, asset management, and related reporting requirements in "Water Quality Accountability Act."

NJ S 1233
Status: Pending
Requires certain persons and business entities to maintain comprehensive information security program.

NJ S 2155
Status: Pending
Requires Economic Development Authority to establish program offering low interest loan to certain financial institutions and personal data businesses to protect business's information technology system from customer personal information disclosure.

New Mexico

NM H 2
Status: Enacted
Makes general appropriations and authorizing expenditures by state agencies required by law.

NM SJM 7
Status: Failed—Adjourned
Relates to study school cybersecurity issues.

New York

NY A 291
Status: Pending
Directs the commissioner of the division of homeland security and emergency services to work with other experts who maintain experience and knowledge in the area of cybersecurity to develop a cybersecurity action plan for New York state.

NY A 465
Status: Pending
Enacts the Personal Information Protection Act, establishes a personal information bill of rights requiring parties having custody of residents personal identifying information to ensure the security thereof, provides for the approval of programs to secure personal identifying information by the office of information security, requires the notification of the division of state police and the subjects of information upon the breach of such information..

NY A 914
Status: Pending
Amends the Penal Law, relates to creating the crime of cyberterrorism and calculating damages caused by computer tampering, provides that cyberterrorism shall be a class B felony.

NY A 1185
Status: Pending
Amends the Insurance Law, authorizes continuing care retirement communities to adopt a written cybersecurity policy, requires such policies to be self-certified and approved by the superintendent.

NY A 1351
Status: Pending
Directs the state board of elections to study and evaluate the use of blockchain technology to protect voter records and election results.

NY A 1729
Status: Pending
Establishes a commission to study the European Union's general protection data regulation and the current state of cybersecurity in the state.

NY A 2124
Status: Pending
Creates specific computer crimes as well as increasing penalties for crimes committed with the aid of a computer, provides for civil relief in cases of pornography on the internet, and penal sanctions in such cases.

NY A 2229
Status: Pending
Requires manufacturers of connected devices to equip such devices with reasonable security features.

NY A 4884
Status: Pending
Relates to creating the Modernized Voter Registration Act of New York, modernizes voter registration, promotes access to voting for individuals with disabilities, protects the ability of individuals to exercise the right to vote in elections for local and state office, makes an appropriation therefor.

NY A 6514
Status: Pending
Establishes the offenses of phishing in the third degree, phishing in the second degree and phishing in the first degree, relates to the time in which prosecution of such offenses must be commenced.

NY A 7682
Status: Pending
Relates to critical utility infrastructure security and responsibility, relates to the protection of critical infrastructure in the state, provides that an electric or gas corporation or municipality shall not share, disclose or otherwise provide access to a customer's electrical or gas consumption data.

NY A 7913
Status: Pending
Removes the economic harm requirement from the felony commercial bribery statutes, expands the crime of larceny to include theft of personal identifying information, computer data, computer programs, and services, to adapt to modern technological realities, provides state jurisdiction and county venue over cases involving larceny of personal identifying information, computer data, and computer programs, where the victim is located in the state or the county.

NY A 8776
Status: Pending
Amends the Military Law, establishes civilian cybersecurity reserve forces within the state militia to be capable of being expanded and trained to educate and protect state, county and local government entities, critical infrastructure, including election systems, businesses and citizens of the state from cyberattacks.

NY S 229
Status: Pending
Amends the Penal Law, relates to computer tampering.

NY S 394
Status: Pending
Amends the Penal Law, elevates all computer tampering offenses by one degree in severity.

NY S 2475
Status: Pending
Relates to computer-related crimes.

NY S 3172
Status: Pending
Establishes the offenses of phishing in the third degree, phishing in the second degree and phishing in the first degree, relates to the time in which prosecution of such offenses must be commenced.

NY S 3625
Status: Pending
Amends the Insurance Law, promotes competitive property and casualty insurance markets for business to business insurance transactions.

NY S 3973
Status: Pending
Requires manufacturers of connected devices to equip such devices with reasonable security features.

NY S 4273
Status: Pending
Amends the Penal Law, relates to creating the crime of cyberterrorism and calculating damages caused by computer tampering, cyberterrorism shall be a class B felony.

NY S 4444
Status: Pending
Establishes the computer security act, addressing the widespread problem of spyware, makes it illegal for third parties to knowingly and deceptively cause computer software to be copied onto personal computers that changes the computer users settings without permission, prevents users from resetting computers to the original preferences or removing third-party software, secretly collects information about internet searches, disables the computers security software or causes related disruptive activities.

NY S 4744
Status: Pending
Establishes a commission to study the European Union's general protection data regulation and the current state of cybersecurity in the state.

NY S 5222
Status: Pending
Removes the specified amount economic harm requirement from the felony commercial bribery statutes, expands the crime of larceny to include theft of personal identifying information, computer data, computer programs, and services, to adapt to modern technological realities, provides state jurisdiction and county venue over cases involving larceny of personal identifying information, computer data, and computer programs, where the victim is located in the state or the county.

NY S 5449
Status: Pending
Establishes the Ethical Standards for State Agency Contractors Act, prohibits a contractor from organizational conflicts of interest with respect to such state agency contract, prohibits contractors' employees from taking any action that would constitute a personal conflict of interest, provides for nondisclosure agreements, provides reporting requirements and imposes consequences for violations.

NY S 6036
Status: Pending
Directs the state board of elections to study and evaluate the use of blockchain technology to protect voter records and election results.

NY S 6195
Status: Pending
Relates to critical utility infrastructure security and responsibility, relates to the protection of critical infrastructure in the state, provides that an electric or gas corporation or municipality shall not share, disclose or otherwise provide access to a customer's electrical or gas consumption data.

NY S 6822
Status: Pending
Amends the Military Law, establishes civilian cybersecurity reserve forces within the state militia to be capable of being expanded and trained to educate and protect state, county, and local government entities, critical infrastructure, including election systems, businesses, and citizens of the state from cyber attacks.

NY S 7001
Status: Pending
Requires the department of education to provide annual notifications to school districts to combat cybercrime.

NY S 7003
Status: Pending
Establishes the school district cybercrime prevention services program to provide school districts with information on strategies, best practices and programs offering training and assistance in the prevention of cybercrimes in school districts or otherwise affecting school districts, provides that information on eligibility and applications for financial assistance be made available to school districts.

NY S 7246
Status: Pending
Creates a cybersecurity enhancement fund to be used for the purpose of upgrading cybersecurity in local governments, including but not limited to, villages, towns and cities with a population of one million or less and restricts the use of taxpayer money in paying ransoms in response to ransomware attacks.

NY S 7289
Status: Pending
Prohibits any municipal corporation or other government entity from paying ransom in the event of a cyber-attack against such municipal corporation's or government entity's critical infrastructure.

NY S 7584
Status: Pending
Prohibits the procurement of telecommunications equipment or services which originate from certain Chinese entities and allows for the Department of Homeland Security and Emergency Services in consultation with the secretary of state to add additional prohibitions.

NY S 8184
Status: Pending
Establishes tiers of essential employees during a state of emergency and designates categories of employees in each tier.

Ohio

OH H 368
Status: Pending
Enacts the Computer Crimes Act.

Oklahoma

OK H 2146
Status: Pending
Creates a credit against income tax for qualified software or cybersecurity employees.

OK H 3192
Status: Pending
Relates to revenue and taxation, relates to an income tax credit with respect to certain software or cybersecurity employees, modifies definitions, modifies references, modifies provisions related to qualifying employers and qualified employees, provides an effective date, declares an emergency.

OK H 3274
Status: Pending
Relates to cities and towns, relates to Oklahoma Municipal Power Authority, provides certain exemptions, provides an effective date.

OK S 746
Status: Pending
Relates to income tax credits, establishes tax credits for certain software or cybersecurity employees, provides a specified amount for the credit, imposes a maximum number of taxable years for which the credit may be claimed, prohibits the use of the credit to reduce tax liability below a certain amount, provides for certain qualified employers to make application to the State Tax Commission.

OK S 1204
Status: To Governor
Relates to income tax, relates to income tax credit for qualifying software or cybersecurity employees, modifies definition, eliminates specific authority for participation in certain program and related requirements, updates statutory references, provides an effective date, declares an emergency.

OK S 1842
Status: Pending
Relates to the Oklahoma Municipal Power Authority, relates to the Open Meetings Act, authorizes the authority to hold executive sessions for specified purposes, relates to the Oklahoma Open Records Act, authorizes the authority to keep certain records confidential, relates to the Information Technology Consolidation and Coordination Act, modifies definition, provides an effective date.

OK S 1919
Status: Pending
Relates to insurance, creates the Insurance Data Security Act, defines terms, requires licensed insurers to develop and maintain a comprehensive information security program based on certain factors, provides objectives of security program, requires licensee to conduct certain assessment of risk factors and ensure sufficiency of safeguarding data policies and procedures, requires use of data from assessment to determine design of information security program and necessary security measures.

Pennsylvania

PA H 140
Status: Pending
Provides appropriations from the General Fund for the expenses of the Executive, Legislative and Judicial Departments of the Commonwealth, the public debt and the public schools for the fiscal year July 1, 2019, to June 30, 2020, and for the payment of bills incurred and remaining unpaid at the close of the fiscal year ending June 30, 2019, provides appropriations from special funds and accounts to the Executive and Judicial departments.

PA H 225
Status: Pending
Amends the act, known as The Administrative Code of 1929, in organization of departmental administrative boards and commissions and of advisory boards and commissions, provides for Cybersecurity Innovation Commission.

PA H 2009
Status: Pending
Provides for the Cybersecurity Coordination Board to collect, study and share information about data privacy and cybersecurity issues and initiatives with respect to developing uniform cybersecurity techniques, standards, policies, procedures and best practices.

PA H 2387
Status: Pending
Provides appropriations from the General Fund for the expenses of the Executive, Legislative and Judicial Departments of the Commonwealth, the public debt and the public schools, and for the payment of Bills incurred and remaining unpaid at the close of the fiscal year.

PA S 487
Status: Pending
Amends the act of Dec. 22, 2005, known as the Breach of Personal Information Notification Act, provides for title of act, for definitions and for notification of breach, prohibits employees of the Commonwealth from using nonsecured Internet connections, provides for Commonwealth policy and for entities subject to the Health Insurance Portability and Accountability Act of 1996.

PA S 810
Status: Pending
Relates to boards and offices, provides for information technology, establishes the Office of Information Technology and the Information Technology Fund, provides for administrative and procurement procedures and for the Joint Cybersecurity Oversight Committee, imposes duties on the Office of Information Technology, provides for the administration of the Statewide Radio Network, imposes penalties.

PA S 487

Status: Pending

Amends the act of December 22, 2005, known as the Breach of Personal Information Notification Act, provides for title of act, for definitions and for notification of breach, prohibits employees of the Commonwealth from using nonsecured Internet connections, provides for Commonwealth policy and for entities subject to the Health Insurance Portability and Accountability Act of 1996.

PA S 613
Status: Vetoed
Amends the Administrative Code, reenacts provisions relating to criminal history background checks of employees and contractors with access to federal tax information, provides for the coronavirus emergency mitigation plan for businesses.

Rhode Island

RI H 7723
Status: Pending
Regulates data brokers, provides that data brokers would be required to annually register, provide substantive notifications to consumers, and adopt comprehensive data security programs.

RI H 7771
Status: Pending
Adopts the National Association of Insurance Commissioners Cybersecurity Act which establishes the current standard for insurers doing business in this state.

RI H 7954
Status: Pending
Creates an Election Systems Cybersecurity Review Board to provide a security analysis of the elections systems and facilities, creates a Cybersecurity Incident Response Group to establish protocols and policy planning for cybersecurity threats at any state agency.

RI S 2030
Status: Pending
Establishes that manufacturers of devices capable of connecting to the internet equip the devices with reasonable security features.

RI S 2618
Status: Pending
Adopts the National Association of Insurance Commissioners Cybersecurity Act which establishes the current standard for insurers doing business in this state.

South Carolina

SC H 3585
Status: Pending
Clarifies that certain individuals are authorized to adjust food spoilage claims without an adjuster's license, requires a long term care insurance provider to submit all premium rate schedules to the Department of Insurance and to establish certain procedures concerning the premium approval process, relates to the duties of the director of the Department of Insurance, alters public hearing requirements, relates to insurance premium taxes, excludes certain factors from the total premium computation.

SC H 4293
Status: Pending
Establishes the state Election Security Council, provides for the council's composition, duties, powers and responsibilities, provides that after the effective date of this act, all voting systems used in the state shall utilize a paper-based system using paper ballots tabulated by optical scanners as the ballot of record, requires the General Assembly to appropriate the funds necessary to purchase the voting systems required by this section.

SC S 374
Status: Pending
Establishes the state Election Security Council, provides for the council's composition, duties, powers and responsibilities, provides that after the effective date of this act all voting systems used in the state shall utilize a paper-based system using paper ballots tabulated by optical scanners as the ballot of record, requires the general assembly to appropriate the funds necessary to purchase the voting systems required by this section.

South Dakota

SD H 1044
Status: Enacted
Makes an appropriation to the Board of Regents to fund the development of the Cyber Incubator and Entrepreneurial Center at Dakota State University, declares an emergency.

Tennessee

TN HR 249
Status: Pending
Directs the Tennessee Department of Financial Institutions to conduct a study relative to the application of blockchain and related technology in the financial services sector and to recommend any changes to the laws and rules of this State that impact the application of those technologies in this state.

Utah

UT H 41
Status: Enacted
Addresses water policies of the state, outlines the water policies of the state, encourages state agencies to follow the state policy, addresses suits referencing the state policy, requires an annual review of the policy.

UT H 158
Status: Failed
Creates affirmative defenses to causes of action arising out a data breach involving personal information, restricted information, or both personal information and restricted information, provides that an entity may not claim an affirmative defense if the entity had notice of a threat or hazard, establishes the requirements for asserting an affirmative defense, provides a severability clause.

Virginia

VA H 322
Status: Pending—Carryover
Relates to Virginia Information Technologies Agency, relates to Cybersecurity Advisory Council created, relates to report, creates the Cybersecurity Advisory Council to assist the chief Information officer (CIO) of the Virginia Information Technologies Agency with the development of policies, standards and guidelines for assessing security risks, determining appropriate security measures, and performing security audits of government electronic information, provides that make recommendations to the CIO.

VA H 524
Status: Failed
Relates to the register of volunteer cybersecurity and information technology professionals, directs the secretary of administration to establish a register of cybersecurity and information technology professionals interested in volunteering to assist localities and school divisions, in collaborating on workforce development, and in providing mentorship opportunities.

VA H 852
Status: Enacted
Relates to the Information Technologies Agency, requires the chief information officer of the Information Technologies Agency to develop and annually update a curriculum and materials for training all state employees in information security awareness and in proper procedures for detecting, assessing, reporting, and addressing information security threats.

VA H 957
Status: Failed
Relates to Virginia Cyber Initiative Act, directs the Virginia Information Technologies Agency to work with public and private institutions of higher education, state agencies, and businesses in the Commonwealth to develop a cyber alliance, to be known as the Virginia Cyber Initiative, to reduce cyber risks and encourage economic development in the cybersecurity field.

VA H 1082
Status: Enacted
Relates to Emergency Services and Disaster Law, relates to definition of disaster, relates to incidents involving cyber systems, defines cyber incident for purposes of the Emergency Services and Disaster Law as an event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems.

VA H 1334
Status: Enacted
Establishes standards for insurance data security, for the investigation of a cybersecurity event, and for the notification to the commissioner of Insurance and affected consumers of a cybersecurity event, requires insurers to develop, implement, and maintain a comprehensive written information security program based on an assessment of its risk that contains administrative, technical, and physical safeguards.

VA HJR 23
Status: Failed
Relates to study; relates to Department of Elections; relates to use of blockchain technology to protect voter records and election results; relates to report; requests the Department of Elections to conduct a study to determine the kinds of blockchain technology that could be used to secure voter records and election results, determine the costs and benefits of using such technology as compared to traditional registration and election security measures, and make recommendations.

VA HJR 64
Status: Adopted
Requests the Information Technologies Agency to study the Commonwealth's susceptibility, preparedness, and ability to respond to ransomware attacks, provides that in conducting its study, the agency shall assess the Commonwealth's susceptibility to ransomware attacks at the state and local levels of government.

VA S 378
Status: Enacted
Relates to computer trespass, relates to penalty, expands the crime of computer trespass to provide that the prohibited actions that constitute computer trespass are criminalized if done through intentionally deceptive means and without authority, specifies that a computer hardware or software provider, an interactive computer service, or a telecommunications or cable operator does not have to provide notice of its activities to a computer user that a reasonable computer user should expect may occur.

VA S 641
Status: Pending—Carryover
Relates to civil action, relates to sale of personal data, requires a person that disseminates, obtains, maintains, or collects personal data about a consumer for a fee to implement security practices to protect the confidentiality of a consumer's personal data, obtain express consent of a parent of a minor before selling the personal data of such minor, provide access to consumers to their own personal data that is held by the entity, and refrain from maintaining or selling data.

VA S 1003
Status: Enacted
Relates to computer crimes, relates to penalty, provides that it is a Class 1 misdemeanor for a person to maliciously use an Internet-capable computer as part of a hoax to cause another person to expend monetary funds that would not have been expended if not for the hoax if the person using such computer knew or should have known that the funds would be expended, provides that it is not a defense that the defendant did not receive any direct or indirect benefit from the hoax.

Vermont

VT H 157
Status: Pending
Relates to adopting minimum security standards for connected devices.

VT H 692
Status: Pending
Relates to providing mandatory cybersecurity awareness training to municipal employees.

VT H 895
Status: Pending
Relates to creating an Information Technology Development Initiative.

VT S 304
Status: Pending
Relates to an Interbranch Cybersecurity Task Force.

Washington

WA H 1251
Status: Enacted
Concerns security breaches of election systems or election data including by foreign entities.

WA H 1840
Status: Failed--adjourned
Concerns the removal of payment credentials and other sensitive data from state data networks.

WA H 2111
Status: Failed--adjourned
Concerns enhancing cybersecurity by eliminating the return of ballots by fax and email.

WA H 2293
Status: Failed--adjourned
Exempts election security information from public records disclosure.

WA H 2325
Status: Failed--adjourned
Makes current fiscal biennium supplemental operating appropriations.

WA H 2647
Status: Failed--adjourned
Concerns election security.

WA H 2663
Status: Failed--adjourned
Concerns maximum salaries for skill center certificated instructional staff training students to work in skill center identified high-demand fields, including as veterinary technicians, nursing or medical assistants, or cybersecurity specialists.

WA S 5153
Status: Failed--adjourned
Makes 2019-2021 biennium operating appropriations.

WA S 6285
Status: Failed--adjourned
Exempts election security information from public records disclosure.

WA S 6412
Status: Failed--adjourned
Concerns election security.

Wisconsin

WI A 819
Status: Failed
Imposes requirements related to insurance data cybersecurity, grants rulemaking authority.

WI S 784
Status: Failed
Imposes requirements related to insurance data cybersecurity, grants rulemaking authority.


West Virginia

WV S 261
Status: Enacted
Creates criminal penalties for introducing ransomware into computer with intent to extort.

District of Columbia

DC B 612
Status: Pending
(Introduced) Amends the Office of the Chief Technology Officer Establishment Act to strengthen the district government's cybersecurity posture, amends the Technology Services Support Act to rename the DC NET Services Support Fund and modify the purposes for which money in that hind may be expended to respond to the demand within the District government for innovative technologies.

Puerto Rico

PR H 92
Status: Pending—Carryover
Creates the Investigative Cyber Crimes Unit under the Department of Justice which will be in charge of investigating and prosecuting serious and less serious crimes and/or misdemeanors related to the right to privacy, ownership, identity and security in commercial transactions, when committed using electronic means, such as the Internet and the computer.

PR HR 257
Status: Pending—Carryover
Orders the House Committees on Finance and Public Security to investigate the information systems of the Department of the Treasury, its maintenance and the reasons for a cyber virus that caused on Jan. 6, 2017, the Department of the Treasury to raise about $20 million, determines if the information from taxpayers and the government hosted on the servers of the Department of the Treasury was affected as a result of this cyber virus.

PR HR 367
Status: Pending—Carryover
Orders the House Committee on Public Safety to assess the feasibility of establishing a forensic laboratory in cyber crimes, similar to that of the Immigration and Customs Enforcement, which provides services exclusively to state agencies.

PR HR 475
Status: Pending—Carryover
Orders the House Committee on Public Safety to research the practices and policies of cybersecurity and of the executive departments and agencies of the Government, with urgency in the Department of the Treasury, the State Department and Department of Public Safety.

​​​​​​