As employers in the private and public sectors adjust to the advent of flexible work over the last two years, they’re simultaneously trying to protect their organizations from attackers looking to steal and sell data.
2021 was a year defined by significant cyberattacks that crippled infrastructure and shut down hospitals, schools, and municipal governments. It’s the same year the Colonial Pipeline, which supplies gasoline to millions living in the Northeast U.S., was hobbled by a ransomware attack that triggered a gas panic and elevated prices for consumers.
And lawmakers were paying attention—passing dozens of laws in 2022 aimed at training workers, securing government agencies, and funneling money into cybersecurity education programs.
Drata analyzed legislation across all 50 states tracked by the National Conference of Legislatures to identify the states where the most cybersecurity regulations were enacted in 2022. At least 25 states enacted 43 laws that address cybersecurity concerns, out of more than 250 bills proposed and considered by legislatures, including in U.S. territories.
The Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, describes cybersecurity as the “art” of defending computers, electronic devices, and networks against malicious attacks seeking to compromise their function or data.
Companies and government organizations employ cybersecurity methods to keep people who aren’t authorized to see certain information out of those digital spaces and to secure private information or company trade secrets from prying eyes, including criminals.
The average cost of a data breach at a U.S. company in 2022 was $9.4 million, according to IBM’s annual report on cybersecurity threats. Ransomware is one of the most common forms of attack. In a ransomware attack, the offender gains access to a network, takes private information that can often be sensitive, and locks it up with a code only the attacker knows—demanding a ransom be paid to regain access. But access isn’t always granted after a ransom is paid.
Maryland and Florida passed the most new legislation of all states
Maryland’s newest cybersecurity-oriented laws expand on training programs and dedicate public money to protecting digital and information technology infrastructure throughout its state and local governments, including setting standards for its 911 emergency telephone system. It also places new requirements on health care and insurance providers.
In Florida, newly enacted laws will require municipalities to adopt cybersecurity standards, report incidents of ransomware, assess steep fines against perpetrators of attacks, and prevent government agencies from paying ransomware demands.
About half of the states in the U.S. did not enact any cybersecurity-related legislation in 2022. Some of those states may convene to make laws less frequently, like Texas, which has a state legislature that gathers every other year. Other states, including Oregon, proposed new laws but did not pass any of them through their legislatures.
– Enacted: 3
– Failed: None
– Vetoed: None
The Kentucky legislature passed three laws in 2022, one of which was a mostly ceremonial resolution urging Congress to take action to mitigate cyberattacks and specifically ransomware. The other two create cybersecurity regulations that apply to insurance firms and investment advisors.
Licensed insurers based in Kentucky will have to implement and report cybersecurity and data privacy standards annually to the state. It also requires organizations to report cybersecurity events to the state no less than three days from when they’re discovered. It carries a penalty of up to $10,000 per violation. The new law does not apply to any companies already in compliance with federal data privacy and breach laws like the Gramm-Leach-Bliley Act of 1999 or rules issued by the U.S. Department of Health and Human Services.
The other law simply requires all registered investment advisors to create and implement cybersecurity policies that “ensure the confidentiality, integrity, and availability of physical and electronic records and information.”
– Enacted: 3
– Failed: 2
– Vetoed: None
In Virginia, lawmakers passed laws requiring public sector agencies to report all cybersecurity incidents to its Virginia Fusion Intelligence Center, and allocating funding to help employers in the state attract and retain cybersecurity professionals. The state is sending tens of millions to help recruit faculty at Virginia Tech.
– Enacted: 4
– Failed: 10
– Vetoed: None
Florida passed four laws related to cybersecurity in 2022, including a budget bill that allocates $20.5 million to higher education and workforce development in the industry. About half of that money was earmarked for the Florida Center for Cybersecurity at the University of South Florida while the other half will go to building a “Cyber Attack and Simulation Range” for “highly technical” training. The state is also dedicating $50 million to implement a 2021 task force’s recommendation for better cybersecurity protections for the state’s businesses and government agencies.
It also passed a law that exempted some aspects of cybersecurity attacks and data breaches from public records law, where the information would help criminals learn about “detection, investigation, or response practices.” It does not stop government agencies from reporting the number of incidents and general information about each.
A new Florida statute will also create a penalty for the perpetrators of attacks against government entities equal to twice the total of the ransom demanded.
– Enacted: 8
– Failed: 17
– Vetoed: 2
The Modernize Maryland Act of 2022 included requirements for water and sewer systems to assess and report cybersecurity vulnerabilities to the government. It also created a commission and fund to support and implement state and local government cybersecurity investments before the end of 2030.
The state also passed a law setting cybersecurity standards for health care organizations, including most insurers and those that provide care to Medicaid patients. It requires organizations to issue thorough notifications about data breaches affecting more than 250 people in the state and carries a fine of up to $125,000 for each violation of the law.
Another bill revised and expanded the state’s Cybersecurity Public Service Scholarship Program for students interested in pursuing a cybersecurity career. Previously the program supported students who went on to work for state agencies. Now it includes those who go to work for schools and colleges as well as county and municipal governments.
Among the 17 measures that failed in Maryland was one that would have given small businesses a state tax break for spending on cybersecurity measures.