States with large sectors to protect and develop have taken the lead in America to develop and promote cybersecurity regulations for organizations and consumers. The most high-profile to date is New York State’s regulations to ensure its financial institutions remain secure and vigilant against cyber attacks.
Meanwhile, hackers have also profited from attacks on city governments in Alabama, North Carolina, Tennessee, New Jersey, Texas, Minnesota, and more. Atlanta’s attack was particularly widespread, affecting nearly 6 million people and costing the city over $11.5m in damages.
State approaches to cybersecurity regulation are providing the Federal government with models to consider as it crafts its own nation-wide laws.
Why Do The States Need Cybersecurity Regulations?
States are seeing close-up that cybersecurity is of the utmost importance to their industries and residents. States feel the need to regulate because:
- Instead of just walking into a bank and robbing the teller, cybercriminals now have a plethora of ways to steal money and valuable information from enterprises.
- The increased reliance on information technology, the rapid growth of online transactions, and commensurate exposure to the data of private individuals have made cybersecurity a critical component of the economy.
- Cybersecurity is important for the protection of essential government services, first-response emergency and law enforcement activities, and critical infrastructures like the national power grid.
Key Areas of State-level cybersecurity regulation include:
- Continuous improvements to government security practices
- Providing funds for cybersecurity initiatives and programs
- The restriction of public disclosure of sensitive security information
- Encouraging and promoting training in the workforce
What States Are Leading Cybersecurity Legislation?
New York, New Jersey, and California are amongst the most significant contributors to impending Federal cybersecurity legislation.
New York State
Some high-profile legislation that has already been put in place or is in progress in New York State in 2018 include:
- Amendments to two penal laws: one relating to cyber terrorism and the other to phishing
- The formation of a government cybersecurity advisory board
- The revision of all cybersecurity services provided to the State every five years
- Amendments to the banking laws that require lending institutions to supply consumers with PIN numbers to be used with chip-embedded cards
- Increases in the penalties involving the use of personal information for fraud, theft, tampering and use of a computer to commit a crime
- Amendments to laws affecting businesses, including penalties for customer data breaches and tax credits for the purchase of cybersecurity insurance
- The enactment of the personal information protection act. This establishes a personal information bill of rights for consumers.
- The establishment of the computer security act addressing the problem of installing spyware on devices without the permission of owners.
In 2018 New Jersey has addressed its own cybersecurity issues in a less punitive manner. Some of the State’s legislation involves:
- A proposal that requires certain persons and businesses to maintain comprehensive information security programs
- A proposal that requires the state, county and municipal employees, including state contractors, to complete cybersecurity awareness training programs
- A proposal that will require state employees to review best cybersecurity practices frequently
- The designation of October of each year to be cybersecurity awareness month
- A proposal that urges the Secretary of State to assure the legislature and public that the New Jersey state electoral system is protected against external or foreign computer hackers
- A proposal that requires the Economic Development Authority (EDA) to offer low-interest loans to financial institutions and personal data businesses to aid in the protection of customer data breaches.
- A proposal that requires that the secretary of state adopt regulations that describe the best practices for the storage and security of voter registration information received.
- A cybersecurity proposal that addresses consumer credit reporting agencies and related businesses that handle personal data. Both entities must make take measures to protect private data.
- A proposal that requires that a manufacturer who sells or offers to sell an Internet-connected device in California must equip the device with reasonable cybersecurity features.
- The proposed establishment of a California Cybersecurity Integration Center (CCIC) within the office of emergency services.
Impact on Business
The overall intention of the legislation that States are considering or have made into law is to hold businesses responsible for data breaches and to aid them in that effort.
Businesses need to develop and implement security policies that prevent cybercrime. Company policies should cover all computer systems and management policies related to the use and management of data.
As the States evolve and promote consumer rights to digital privacy lawsuits against violators is probable. Cybersecurity planning and management will help organizations defend against lawsuits brought against them in case they suffer breaches of private information.
Businesses that fail to plan and implement policies that meet State cyber regulations may come to regret their inaction.
How State and Federal Responses Differ
The States are increasingly moving toward a European Union (EU)-style framework that holds enterprises responsible for the prevention and notification of cybersecurity breaches. In May 2018, the EU enacted its General Data Protection Regulation (GDPR), which provides consumers with well-defined rights to the use of their private data.
GDPR also spells out penalties for companies that violate those rights, with the most severe judgments for companies that lose control of the private data of EU citizens. Evolving Federal standards, however, are still concerned with the collation and coordination of information about cybersecurity crimes throughout the country.
The Federal government may one day fall into step with the States. Harmonization of cybersecurity at State and Federal levels will reduce the confusion and costs of organizations that do business across state lines. Until that time, however, companies that straddle state borders will have to deal with a plethora of cyber regulations throughout the country, with a layer of Federal oversight to consider.
To keep up to date on State-level cybersecurity proposals and legislative actions see http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2018.aspx for a comprehensive list for each State during 2018.
You can also email us here at Coranet, and we will provide you with much-needed answers and analysis to this complex and fast-changing environment.
Coranet is a certified Woman-Owned Information Technology Organization that has been meeting the requirements of Enterprise and Government entities for over 30 years. Network Engineering and Technical Support is part of our foundation and we continue this proud tradition with a 360-degree approach to technology solutions and services in the areas of Audio Visual, Network & Physical Security, IT Infrastructure, and Consulting/Project Management. Coranet is ISO 9001 registered, Lean Six Sigma and WBENC certified.
Please contact us at Sales@coranet.com for more information