Page 104 - Cyber Warnings
P. 104
State Cybersecurity Regulation: Another Patchwork Approach?
By Jami Mills Vibbert with Venable LLP
Until recently, state oversight of cybersecurity has been relatively limited. Indeed, although 48
of 50 states have laws related to data breach notification, those laws govern only a small part of
cybersecurity practice—the time following a security incident. Those breach notification laws
form a complicated morass requiring notification of a security breach under certain, different
circumstances, depending on the type and amount of data involved. That is, the who, what,
when, where, why, and how vary from state to state, often requiring an in-depth analysis by a
breached company to determine what its notification obligations are while also trying to handle
the crisis situation that arises post-breach.
The Health Insurance Portability and Accountability Act (HIPAA) has a breach notification
provision that applies nationwide, but applies only to protected health information, and does not
preempt any state law notification requirements. Attempts at an overarching federal breach
notification law have stalled in the past couple of years, and thus companies must continue to
spend time and resources following a security incident dealing with analysis under these
separate laws.
On the other hand, states have remained relatively silent on specific cybersecurity requirements
for companies doing business in that state. A handful of states have attempted to force
companies to focus on cybersecurity by requiring companies to implement “reasonable” or
“adequate” data security measures (including Arkansas, California, Florida, Indiana, Kansas,
Maryland, Minnesota, Rhode Island, Texas, and Utah). These general requirements typically
impose no more on companies than the companies impose on themselves through contracts
with third parties. Only a couple of states have implemented regulations requiring specific
cybersecurity controls. For example, Massachusetts law 201 CMR 17.00 sets forth specific
cybersecurity requirements, including with respect to encryption, monitoring, patches, firewalls,
training, and other controls.
Nevada law NRS 603A.215 requires encryption of personal information transmitted “outside of
the secure system of the data collector.” And a couple of other states require cybersecurity
controls with respect to specific data elements, such as Social Security Numbers or personal
health information. As with breach notification, some federal laws contain requirements for
certain industries or types of sensitive information, including HIPAA with respect to protected
health information and the Gramm-Leach-Bliley Act, which governs some financial institutions.
These are also not preemptive of different or more stringent state laws. Companies subject to
multiple cybersecurity regimes must, as with breach notification, expend resources in
understanding the different requirements of the different federal and state laws to ensure
compliance with each.
This state-specific quilt of cybersecurity controls is growing, which will likely lead to an even
104 Cyber Warnings E-Magazine – June 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
