Number of state-level cyber bills doubled in 2015 — database
State lawmakers introduced twice as many bills involving cybersecurity issues in 2015 compared to a year ago, according to a StateScoop analysis of legislative activity, using a database developed by FiscalNote.
The database shows that legislators in 19 states introduced 75 bills on the subject over the last year, after lawmakers in eight states put forward 37 cybersecurity bills in 2014.
However, the rate at which those bills actually became laws dropped precipitously from one year to the next. Last year, 18 of the 37 cyber bills were enacted, while just 17 of 2015’s 75 bills managed to become law.
A particular area of focus for states in 2015 was the intersection of cybersecurity and public records law.
California passed a law in October stipulating that all state and local agencies make available to the public a full inventory of their enterprise systems, including any cybersecurity systems. However, the law allows agencies to keep some of that information confidential should they prove that releasing it “could result in negative consequences.”
Virginia also passed a pair of bills in March to more aggressively shield cybersecurity information.
One alters the state’s public records law, allowing state officials to withhold information “regarding specific cybersecurity threats or vulnerabilities” and any “cybersecurity planning or protection” so long as they can demonstrate “with reasonable particularity” that the protection is necessary to keep the state secure. The other allows public bodies, like state commissions or legislative committees, to hold closed meetings if they want to discuss “plans to protect public safety” in response to cyberthreats.
Lawmakers in Michigan and Florida introduced similar bills, but those have yet to pass.
At the same time, several pieces of legislation directed state workers and leaders to put a greater focus on bolstering their cyber defenses.
In particular, Connecticut passed a bill instructing several of its agencies to work together to create a report on the cybersecurity issues facing the state and compile a set of recommendations to address them by January 2017. Similarly, Maryland enacted a measure to convene a council of state leaders to work with the federal government on cyberthreats.
Along similar lines, state legislators also introduced dozens of bills in 2015 involving cybersecurity failures. In all, lawmakers in 21 states introduced 35 bills involving data breaches, according to FiscalNote’s database. That total is on par with 2014’s totals, when legislators in 13 states put forward 31 bills on the topic.
Those bills became law at similar rates across the years — 10 passed legislatures in 2015, while nine did in 2014.
Two other hot topics in state cyber breach bills were provisions surrounding student data and information collected by automatic license plate readers used by law enforcement agencies.
Overall, seven bills in five states dealt with breaches of student data, while five bills in four states addressed breaches of the license plate reader data.