Despite several new proposals that would nationalize US cyber security and data privacy laws to replace the current patchwork of individual state laws, a federal framework has not yet been established. In the meantime, however, several states have proposed legislation and adopted new initiatives to address growing cyber and privacy threats affecting their citizens.
Virginia. On April 20, 2015, Virginia Governor Terry McAuliffe issued a press releaseannouncing the first state-level organization through which the government and private companies can share critical cyber security threat information. The creation of so-called “Information Sharing and Analysis Organizations” (ISAOs) was first encouraged by President Obama in February 2015 when he issued an executive order directing the federal Department of Homeland Security to encourage states to create ISAOs around the country. President Obama’s hope is that other states will now follow Virginia’s lead in setting up their own ISAOs. As discussed in a previous post, proposed federal legislation would limit civil liability for companies who share cyber threat information with government authorities as long as they ensure certain data privacy protections are in place. Virginia currently ranks 6th out of 50 states with 22 companies in the Fortune 500 who are headquartered in the Commonwealth.
New York. On April 8, 2015, a New York State legislator introduced proposed legislation that would, among other things, require “any person or business that conducts business in New York State” to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity” of “private information.” Private information is defined under the draft legislation to include social security numbers, driver’s license numbers, account numbers, credit or debit card numbers, biometric information, health information, and/or login and password credentials. Certain individuals and organizations who are already subject to more strenuous state or federal standards, or who agree to adopt voluntary National Institute of Standards and Technology (NIST) principles, will be deemed to be in compliance with this new Data Security Act. Should the legislation be enacted, violators could face up to $10 million in penalties for standard violations and $50 million+ for knowing and reckless violations. New York is currently tied for first with California with 54 companies in the Fortune 500 who are headquartered in the State.