Four States Passed Nearly Half of All New Cyber Laws in 2022
As employers in the private and public sectors adjust to the advent of flexible work over the last two years, they’re simultaneously trying to protect their organizations from attackers looking to steal and sell data.
2021 was a year defined by significant cyberattacks that crippled infrastructure and shut down hospitals, schools, and municipal governments. It’s the same year the Colonial Pipeline, which supplies gasoline to millions living in the Northeast U.S., was hobbled by a ransomware attack that triggered a gas panic and elevated prices for consumers.
And lawmakers were paying attention—passing dozens of laws in 2022 aimed at training workers, securing government agencies, and funneling money into cybersecurity education programs.
Drata analyzed legislation across all 50 states tracked by the National Conference of Legislatures to identify the states where the most cybersecurity regulations were enacted in 2022. At least 25 states enacted 43 laws that address cybersecurity concerns, out of more than 250 bills proposed and considered by legislatures, including in U.S. territories.
The Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, describes cybersecurity as the “art” of defending computers, electronic devices, and networks against malicious attacks seeking to compromise their function or data.
Companies and government organizations employ cybersecurity methods to keep people who aren’t authorized to see certain information out of those digital spaces and to secure private information or company trade secrets from prying eyes, including criminals.
The average cost of a data breach at a U.S. company in 2022 was $9.4 million, according to IBM’s annual report on cybersecurity threats. Ransomware is one of the most common forms of attack. In a ransomware attack, the offender gains access to a network, takes private information that can often be sensitive, and locks it up with a code only the attacker knows—demanding a ransom be paid to regain access. But access isn’t always granted after a ransom is paid.