Data Security Laws | State Government



computer and lockState governments hold a vast amount of data about citizens, including personally identifiable information such as Social Security numbers, driver’s license information, and tax and financial information.

 State databases also have become attractive targets for cybercriminals, who sell the data for personal gain or use it to access government networks or services, to disrupt critical infrastructures or to expose or embarrass governments and officials.

Citizens are often required to provide certain types of data to state government agencies, so protecting that information and maintaining the public's trust is critically important. 

All states have security measures in place to protect data and systems. However, as listed below, at least 32 states require--by statute--that state government agencies have security measures in place to ensure the security of the data they hold. Many of these laws have been enacted in just the past two to three years, as cybersecurity threats and attacks against government have increased.

These recent enactments tend to require a statewide, comprehensive approach to security and security oversight. An increasing number of laws also require specific measures to to protect sensitive information from unauthorized access, destruction, use, modification, or disclosure. The measures include required training for state employees, periodic security audits or assessments, development of standards and guidelines, and other provisions. 

Several states also require government entities to destroy or dispose of personal information so it is unreadable or indecipherable. In addition to the laws listed here, at least 24 states also have data security laws that apply to private entitiesOther state and federal laws address the security of health care data, financial or credit information, social security numbers or other specific types of data. 

PLEASE NOTE: NCSL serves state legislators and their staff. This site provides general comparative information only.

The box allows you to conduct a full text search or type the state name.

Data Security Laws--Government
State Statutory Citation / Link Applies to Government: Statutory Summary/Excerpt
Alabama Ala. Code § 8-38-3 The state, a county or a municipality or instrumentality of same and third-party agents. Implement and maintain reasonable security measures to protect sensitive personally identifying information as specified.


Ariz. Rev. Stat. § 18-105

State budget units and state agencies

Establishes a statewide information security and privacy office. Provides that the office serve as the strategic planning, facilitation and coordination office for information technology security in the state. Individual budget units continue to maintain operational responsibility for information technology security. Provides for the appointment of a statewide chief information security officer to manage the statewide information security and privacy office. Requires the office to direct security and privacy compliance reviews, identify and mitigate security and privacy risks, monitor compliance with policies and standards, and coordinate training programs.


Calif. Govt. Code § 11549.3 et seq.


Calif. Govt. Code § 8592.30-8592.45


Calif. Govt. Code § 8586.5


State agencies.

Comply with information security program developed by the Chief of the Office of Information Security, as specified/detailed in statute, including conducting an annual independent security assessment.


Requires each state agency to implement cybersecurity strategy incident response standards to secure its critical infrastructure controls and critical infrastructure information.


Establishes the California Cybersecurity Integration Center (Cal-CSIC) to develop a statewide cybersecurity strategy. Requires Cal-CSIC to establish a cyber incident response team and directs all state departments and agencies to comply with information security and privacy policies and to promote awareness of information security standards with their workforce.


C.R.S. §§ 24-37.5-403-404, -404.5-405 

Public agencies, institutions of higher education, General Assembly

Requires the chief information security officer to: 

(a) Develop and update information security policies, standards, and guidelines for public agencies;

(b) Promulgate rules pursuant to article 4 of this title containing information security policies, standards, and guidelines;

(c) Ensure the incorporation of and compliance with information security policies, standards, and guidelines in the information security plans developed by public agencies pursuant to section 24-37.5-404;

(d) Direct information security audits and assessments in public agencies in order to ensure program compliance and adjustments. Establishes the Colorado Cybersecurity Council and provides for coordination of missions related to homeland security and cybersecurity.


Requires public agencies and institutions of higher education to develop an information security plan utilizing the information security policies, standards, and guidelines developed by the chief information security officer. Provides for an information security plan for communication and information resources that support the operations and assets of the general assembly


Encourages the CISO to assess the data systems of each public agency for the benefits and costs of adopting and applying distributed ledger technologies such as blockchains. 


C.G.S. § 4e-70

Any state agency with a department head and any state agency disclosing confidential information to a contractor pursuant to a written agreement with such contractor for the provision of goods or services for the state.

Implement and maintain a comprehensive data-security program for the protection of confidential information.


The Secretary of the Office of Policy and Management, or the secretary's designee, may require additional protections or alternate measures of security assurance when warranted.

Delaware 29 Del. Code § 9011C State agencies

Provides that the Department of Technology and Information may develop and implement a comprehensive information security program that applies personnel, process, and technology controls to protect the state's data, systems, and infrastructure. The department also shall identify and address information security risks to each State agency, to third-party providers, and to key supply chain partners. Provides for a central Security Operations Center to direct statewide cyber defense and cyber threat mitigation. Implements technical compliance to state-owned technology as required by law or as recommended by private industry standards. Allows the department to temporarily disrupt the exposure of an information system or information technology infrastructure that is owned, leased, outsourced, or shared by one or more state agencies in order to isolate the source of, or stop the spread of, an information security breach or other similar information security incident.


Fla. Stat. § 282.318

Fla. Stat. § 20.61

State agencies.

Comply with the statewide information technology security standards and processes developed by the Agency for State Technology as specified/detailed in statute, including conducting and updating a comprehensive risk assessment every three years, creating an incident response team and reporting process, and providing security and cybersecurity awareness training for all state agency employees.


Georgia Code § 50-25-4 


The Georgia Technology Authority shall have the following powers

(21) To establish technology security standards and services to be used by all agencies;

 (22) To conduct technology audits of all agencies;

Idaho Idaho Code §§ 67-827, 67-827A State agencies

Creates the office of information technology services (OITS) within the office of the governor. Designates the administrator of OITS to oversee all information technology services and cybersecurity policies within the state. This includes the coordination and implementation of cybersecurity policies, information security needs, tests and vulnerability scans to mitigate risks and mandatory education and training of state employees.


20 ILCS 1375/Art. 5

30 ILCS 5/3-2.4

State agencies

Establishes the Office of Statewide Chief Information Security Officer to serve as the strategic planning, facilitation and coordination office for information technology security in the state. Provides services to support agencies, such as identifying risks through assessments, coordinating statewide information security awareness and training programs, among other responsibilities specified/detailed in statute.

Cybersecurity audit. Requires the Auditor General to review state agencies and their cybersecurity programs and practices, with a particular focus on agencies holding large volumes of personal information.


Ind. Code § 4-13.1-2-2  


State agencies

The Office Of Technology shall

   (9) Review projects, architecture, security, staffing, and expenditures.

   (10) Develop and maintain policies, procedures, and guidelines for the effective and secure use of information technology in state government.

   (11) Advise the state personnel department on guidelines for information technology staff for state agencies.

   (12) Conduct periodic management reviews of information technology activities within state agencies upon request.

Kansas Kan. Stat. § 75-7240 Executive branch agencies

Requires executive branch agency heads to ensure that information security programs are in place, implement security policies, standards and cost-effective safeguards to reduce, eliminate or recover from identified threats to data and information technology resources; include cybersecurity requirements in agency request for proposal specifications for procuring data and information technology systems and services; submit a cybersecurity assessment report to the CISO by October 16 of each even-numbered year, and other requirements as specified in statute. 


K.R.S. § 42-724

K.R.S. § 61.932(1)

Public agencies and nonaffiliated third parties.


An agency or nonaffiliated third party that maintains or otherwise possesses personal information, regardless of the form in which the personal information is maintained, shall implement, maintain, and update security procedures and practices, including taking any appropriate corrective action, to protect and safeguard against security breaches.

Reasonable security and breach investigation procedures and practices established and implemented by organizational units of the executive branch of state government shall be in accordance with relevant enterprise policies established by the Commonwealth Office of Technology.


Md. State Govt. Code §§ 10-1301, -1304

An executive agency, a department, a board, a commission, an authority, a public institution of higher education, a unit or an instrumentality of the State; or a county, municipality, bi–county, regional, or multicounty agency, county board of education, public corporation or authority, or any other political subdivision of the State.

Implement and maintain a written information security policy and reasonable security procedures and practices that are appropriate to the nature of the personal information collected and the nature of the unit and its operations.


Require, by written contract or agreement, that third parties implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information disclosed to the nonaffiliated third party.


Mass. Gen. Laws Ch. 93H § 2(c)


The legislative branch, the judicial branch, the attorney general, the state secretary, the state treasurer and the state auditor.

Adopt rules or regulations designed to safeguard the personal information of residents of the commonwealth for their respective departments and shall take into account the size, scope and type of services provided by their departments, the amount of resources available thereto, the amount of stored data, and the need for security and confidentiality of both consumer and employee information.


Minn. Stat. § 16E.03

State agencies in the executive branch of state government, including the Minnesota Office of Higher Education, but not the Minnesota State Colleges and Universities.

Provides that the chief information officer (CIO) shall establish and enforce standards and ensure acquisition of hardware and software necessary to protect data and systems in state agency networks connected to the Internet.


Further provides that the CIO shall establish cyber security policies, guidelines, and standards and install and administer state data security systems on the state's computer facilities consistent with policies, guidelines, standards, and state law to ensure the integrity of computer-based and other data and to ensure applicable limitations on access to data.


Mont. Code § 2-6-1502

Each state agency that maintains personal information.

Develop procedures, as specified/detailed in statute, to protect personal information while enabling the state agency to use personal information as necessary for the performance of its duties under federal or state law.


Nev. Rev. Stat. §  480.900 et seq.

Nev. Rev. Stat. § 603A.210

State agencies; some provisions for local governments

Creates the Nevada Office of Cyber Defense Coordination to perform a variety of duties relating to the security of information systems of state agencies, including setting procedures for risk-based assessments; developing best practices for preparing for and mitigating such risks; preparing, maintaining and testing a statewide strategic plan regarding the security of information systems in Nevada. Requires the office to establish partnerships with local governments, the Nevada System of Higher Education and private entities. Requires each city or county to maintain a cybersecurity incident response plan.


Provides that governmental agencies that maintain records which contain personal information of a resident of the state, the data collector shall, to the extent practicable, with respect to the collection, dissemination and maintenance of those records, comply with the current version of the CIS Controls as published by the Center for Internet Security, Inc. or its successor organization, or corresponding standards adopted by the National Institute of Standards and Technology (NIST).

New York New York State Tech. Law § 103 State agencies.

Provides for the office of information technology services to advise and assist state agencies in developing policies, plans and programs for improving the statewide coordination, administration, security, confidentiality, program effectiveness, acquisition and deployment of technology. Also authorizes the office to perform technology reviews and make recommendations for improving management and program effectiveness pertaining to technology; and to review and coordinate the purchase of technology by state agencies. Requires that, where applicable, the review should include but not be limited to: assessing consistency with the statewide strategic technology plan and agency technology plan; statewide technology standards; the safeguarding of information privacy; security of confidential records; and proper dissemination of public information. Also authorizes the office to o establish statewide technology policies, including but not  limited to preferred technology standards and security, including statewide policies, standards, programs, and services relating to the security of state government nworks and geographic information systems. Also provides for the protection of the state government's cyber security infrastructure, including, but not limited to, the identification and mitigation of vulnerabilities, deterring and responding to cyber events, and promoting cyber security awareness within the state.

North Carolina

N.C. Gen. Stat. §143B-1376(a).  


State agencies.

The state Chief Information Officer shall establish a statewide set of standards for information technology security to maximize the functionality, security, and interoperability of the state's distributed information technology assets, including communications and encryption technologies. The state CIO shall review and revise the security standards annually. As part of this function, the state Chief Information Officer shall review periodically existing security standards and practices in place among the various state agencies to determine whether those standards and practices meet statewide security and encryption requirements. The state Chief Information Officer may assume the direct responsibility of providing for the information technology security of any State agency that fails to adhere to security standards adopted under this Article.

North Dakota N.D. Century Code § 54-59-01 et seq. State agencies, higher education institutions, counties, cities, school districts, or other political subdivisions. Provides that the department of information technology shall advise and oversee cybersecurity strategy for the state agencies and institutions noted. Sets forth requirements for network services and requires the department to  set proper measures for security, firewalls, and internet protocols addressing at the state's interface with other facilities.


Ohio Rev. Code § 125.18

State agencies

Provides that the chief information officer shall establish policies and procedures for the security of personal information that is maintained and destroyed by state agencies. Provides for a chief information security officer (CISO) who is responsible for the implementation of such policies and procedures. Also provides for the CISO to assist agencies with IT security strategic plans and to review those plans.


62 Okl. St. § 34.32

Each state agency that has an information technology system.

Conduct an annual information security risk assessment to identify vulnerabilities associated with the information system. The final information security risk assessment report shall identify, prioritize, and document information security vulnerabilities for each of the state agencies assessed. Failure to comply with the requirements of this subsection may result in funding being withheld from the agency. State agencies shall use either the standard security risk assessment created by the Information Services Division or a third-party risk assessment meeting the ISO/IEC 17799 standards and using the National Institute of Standards and Technology Special Publication 800-30 (NIST SP800-30) process and approved by the Information Services Division.


ORS § 182.122

2016 Ore. Laws Chap. 110

State agencies

Provides for the Oregon Department of Administrative Services, in its sole discretion, to (a) Review and verify the security of information systems operated by or on behalf of agencies;

 (b) Monitor state network traffic to identify and react to security threats; and

 (c) Conduct vulnerability assessments of agency information systems for the purpose of evaluating and responding to the susceptibility of information systems to attack, disruption or any other event that threatens the availability, integrity or confidentiality of information systems or the information stored in information systems.

South Carolina

2018-19 H.B. 4950 Act 264 (sec. 93.21) (appropriations)

All state agencies.

Adopt and implement cyber security policies, guidelines and standards developed by the Department of Administration. The department may conduct audits on state agencies as necessary to monitor compliance.


Upon request, public institutions of higher learning, technical colleges, political subdivisions, and quasi-governmental bodies shall submit sufficient evidence that their cyber security policies, guidelines and standards meet or exceed those adopted and implemented by the department. Exempts judicial and legislative branches.


Tex. Govt. Code § 2054.0286, Tex. Govt. Code § 2054.138

State agencies, third party vendors/contractors

Provides for employment of a statewide data coordinator to improve the control and security of information collected by state agencies;

Requires the statewide data coordinator to develop and implement best practices among state agencies to improve information management and analysis to increase information security.


Utah Code § 63F-2-102

State government

Creates a data security management council, which shall review existing state government data security policies, assess ongoing risks, notify state and local entities of new risks, coordinate breach simulation exercises, develop data security best practices recommendations for state government. Provides for hiring and training of a chief information security officer for each government entity.


56 Vt. Stat. § 3301 et seq. State government Authorizes the Agency of Digital Services to provide services for cybersecurity within state government and requires it to prepare a strategic plan about IT and cybersecurity to the General Assembly. Requires the agency to develop IT and cybersecurity policies and to conduct a security assessment for certain new IT projects. 


Va. Code § 2.2-603

Va. Code §  2.2-2009

Every agency and department in the executive branch of state government, including those appointed by their respective boards or the Board of Education

Every agency and department is responsible for securing the electronic data held by his agency or department and shall comply with the requirements of the commonwealth's information technology security and risk-management program as set forth in § 2.2-2009, and shall report all known incidents that threaten data security.


The CIO shall direct the development of policies, procedures and standards for assessing security risks, determining the appropriate security measures and performing security audits of government electronic information. Such policies, procedures, and standards will apply to the commonwealth's executive, legislative, and judicial branches, and independent agencies and institutions of higher education. 

The CIO shall also develop policies, procedures, and standards that address the scope of security audits and the frequency of such security audits. In addition, the CIO shall conduct an annual comprehensive review of cybersecurity policies of every executive branch agency


RCW 43.105.054
RCW 43.105.020

RCW § 43.105.215

State agencies (certain provisions also apply to institutions of higher education the legislature, and the judiciary)

Requires the Consolidated Technology Services Agency to establish establish security standards and policies to ensure the confidentiality, availability, and integrity of the information transacted, stored, or processed in the state's information technology systems and infrastructure. Also provides for implementing a process for detecting, reporting, and responding to security incidents. The director shall appoint a state chief information security officer. Requires each state agency, institution of higher education, the legislature, and the judiciary to develop an information technology security program that adheres to the office's security standards and policies. Requires each state agency to review and update its program annually and certify to the office that its program is in compliance with the office's security standards and policies. Requires state agencies to obtain an independent compliance audit at least once every three years. 

West Virginia

W.V. Code § 5A-6-4a
W.V. Code § 5A-6B-1 et seq.

Every agency and department.

The Chief Technology Officer is authorized to develop policies, procedures, standards and legislative rules that identify and require the adoption of practices to safeguard information systems, data and communications infrastructures.Provides for annual security audits of all executive branch agencies regarding the protection of government databases and data communications.


Creates the West Virginia Cybersecurity Office under the supervision and control of a Chief Information Security Officer (CISO). Requires the CISO to develop policies, procedures and standards necessary to establish an enterprise cybersecurity program. Requires state agencies to undergo an appropriate cyber risk assessment; adhere to the cybersecurity standard established by the Chief Information Security Officer in the use of information technology infrastructure; and adhere to enterprise cybersecurity policies and standards. Also requires agencies to complete and submit a cyber risk self-assessment report and manage a plan of action and milestones based on the findings of the cyber risk assessment and business needs.


Wyo. Stat. § 9-21-101


Every agency, department, board, commission, council, institution, separate operating agency or any other operating unit of the executive branch of state government.

Requires every agency to adopt, enforce and maintain a policy regarding the collection, access, security and use of data. The policy shall, at a minimum, comply with applicable federal and state law, adhere to standards set by the state chief information officer and include the following: (i) An inventory and description of all data required of, collected or stored by an agency; (ii) Authorization and authentication mechanisms for accessing the data; (iii) Administrative, physical and logical security safeguards, including employee training and data encryption; (iv) Privacy and security compliance standards; (v) Processes for identification of and response to data security incidents, including breach notification and mitigation procedures; (vi) In accordance with existing law, processes for the destruction and communication of data.


Additional Resources