• United States



Contributing Writer

Defining data protection standards could be a hot topic in state legislation in 2021

News Analysis
Nov 16, 20206 mins

Some states could follow the New York Shield Act’s lead and set clearer regulatory expectations for reasonable cybersecurity. Election security legislation likely not on the agenda.

A gavel rests on open law book. [law / regulation / compliance / legal liability]
Credit: Andrey Popov / Getty Images

Following nationwide elections, a new line-up of state lawmakers will be joining their veteran peers to dig into a host of cybersecurity issues during 2021. Since March, many, if not most, cybersecurity issues at the state level have been derailed so that legislators could grapple with the coronavirus’s overwhelming challenges. Most experts see cybersecurity matters continuing to take a back seat through at least the early months of 2021.

Aside from the pandemic, another factor driving a possible delay in state legislative momentum is the political division throughout the country. “States are going to ask, ‘What’s the likelihood we’re going to pass legislation and it’s going to get overturned [at the national level],’” says Aaron Tantleff, a partner focused on cybersecurity and data privacy at Foley and Lardner. “There’s going to be a little more of ‘Let’s wait and see what’s going to happen at the national level.’”

Once the immediacy of the pandemic dissipates and the political heat cools, cybersecurity issues will likely surface again in new or revived legislation in many states, even if weaved throughout other related matters. It’s difficult to separate cybersecurity per se from adjoining issues such as data privacy, which has generally been the biggest topic to involve cybersecurity issues at the state level over the past four years. “You really don’t have this plethora of state cybersecurity laws that would be independent of their privacy law brethren,” Tantleff said.

According to the National Conference of State Legislatures, at least 38 states, along with Washington, DC, and Puerto Rico introduced or considered more than 280 bills or resolutions that deal significantly with cybersecurity as of September 2020. Setting aside privacy and some grid security funding issues, there are two categories of cybersecurity legislative issues at the state level to watch during 2021. The first and most important is spelling out more clearly what organizations need to meet security and privacy regulations. The second is whether states will pick up election security legislation left over from the 2020 sessions.

Defining reasonable cybersecurity

One cybersecurity topic ripe for legislation is establishing data protection safeguards or standards such as those contained in New York State’s groundbreaking Shield Act, which went into effect on March 21, 2020. The Shield Act requires any person owning or licensing computerized data that includes personal information on any New York resident to implement reasonable safeguards to protect that information’s confidentiality and integrity.

“The Shield Act really is the first law of its kind in the states that spells out what cybersecurity standards organizations need to maintain,” Peter Stockburger, partner in the Data, Privacy, and Cybersecurity practice at global law firm Dentons, tells CSO. Many state laws, including the cutting-edge California Consumer Privacy Act (CCPA), which went into effect this year, mandate that organizations must maintain reasonable cybersecurity related to the sensitivity of the data that needs protecting.

Those laws rarely spell out exactly what reasonable cybersecurity means. “It’s always been an open question as to what reasonable security means,” Stockburger said. “You had some opinions by the attorney general as to what that means. Maybe it’s measuring up against the CIS [Center for Internet Security] controls or the NIST [National Institute of Standards and Technology] framework. The New York Shield Act actually spelled it out.”

The Shield Act lists detailed requirements for reasonable administrative safeguards, reasonable technical safeguards, and reasonable physical safeguards companies should implement to comply with the provisions. Stockburger thinks the Shield Act is an important trend in forcing more companies to meet specific data protection cybersecurity requirements. “I think there’s going to be heightened specificity requirements for cybersecurity standards in the years to come [with] the Shield Act being the kickoff point for that,” he says.

The current lack of specificity can make compliance with some state laws difficult. “My concern is that you create a really highly divergent sort of hodgepodge or multi-jurisdictional laws that make it somewhat difficult for a company to operate these days, even on a national level, forget global,” Tantleff says. “Certainly, the problem is that the privacy aspects take a much more prominent lead on a lot of these things. The security aspects are a little bit more subdued in terms of how divergent they are. It really is a concern about how a company will comply with these divergent set of tasks.”

No major election security shifts likely at the state level

The second class of security issues at the state level are those addressing election security, a topic that has taken center stage at the national level, with the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) currently in the spotlight for its years-long work in ensuring voting security and election integrity. According to the National Conference of State Legislatures’ (NCSL’s) database of election legislation, cybersecurity provisions were in 32 bills across 11 states introduced in 2020 but failed to pass due to the legislatures’ adjournments. (No “carry-over” bills that pick up in a new legislature where they left off at adjournment appear to contain cybersecurity provisions).

For example, in Kentucky H 640 required “the State Board of Elections to develop procedures for conducting election procedure audits and post-election audits evaluating the accuracy and security of voting systems in operation in this state.” It failed due to adjournment. Washington State had five bills containing election security provisions die due to adjournment, including S 6285, which exempts election security information from public records disclosure.

The 2020 presidential election’s security became a controversial partisan issue at the national level, but at the state level, most election security issues are relatively straightforward. While these workaday issues will likely emerge again in 2020, it’s doubtful that states will tackle anything in election security beyond that, according to Tantleff.

“There hasn’t been widescale election fraud,” he said. “In fact, if you pull back all the election fraud claims again, there’s very little dealing with cybersecurity. It’s difficult to grab onto something to say we could pass legislation to further enhance our security. I don’t see much there.”