In the wake of growing concerns about data privacy and cyber threats, Massachusetts lawmakers are increasingly focused on evaluating and improving the state's cybersecurity policies and information technology infrastructure. The Senate has created a special committee on cybersecurity readiness, several cybersecurity bills are pending in the legislature, and the Baker Administration has established a new secretariat devoted to information technology.

Senate Committee on Cybersecurity Readiness

This past May, the Massachusetts Senate approved an order creating a special committee to improve the state's cybersecurity readiness. The committee--named the Special Senate Committee on Cyber Security Readiness-- will review and make recommendations for the state to improve its cyber security readiness, enhance technological responses to homeland security and public safety threats, and protect financial, medical, and other sensitive information.

The committee's recommendations are due to the Senate by March 30, 2018. Senator Michael Moore is serving as the Committee's chair, and Senator Cynthia Creem is the Vice Chair. Senators Michael Brady, Eric Lesser, and Ryan Fattman are also serving on the committee.

"Through the establishment of this Special Committee, the Senate is taking proactive steps to address the very real threats that exist within the cyber space," said Senate President Stan Rosenberg, who appointed several of the committee's members. "The findings of the Senate Special Committee will help inform future discussions and potential legislation to keep Massachusetts safe."

Pending Cyber Legislation

Several pieces of cybersecurity legislation are also currently pending in the state legislature this session:

An Act Relative to Cyber Procurements (HB2668): Requires state agencies procuring IT goods or services to give preference to vendors that carry cybersecurity insurance.

An Act Addressing Cybercrime Through Enhanced Criminal Penalties, Civil Remedies, and Transparency (HB2814): Amends various laws regulating electronic security breaches, cybersecurity, and cybercrime, and establishes a special commission on cybersecurity charged with assessing cybersecurity threats and recommending legislation, risk management strategies, and response plans to prevent and mediate attacks.

An Act Ensuring Cyber Security in the Commonwealth (HB3655): Establishes a nine-member task force to study the need for increased cybersecurity within government agencies.

An Act Relative to the Cybersecurity of the Internet of Things and Other Smart Devices (SB179): Requires the Department of Consumer Affairs and Business Regulation to adopt regulations that

safeguard the personal information and Internet of Things personal data of Massachusetts residents.

Creation of Executive Office of Technology Services and Security

Governor Charlie Baker is also increasingly focused on data security and cybersecurity issues. On August 1, the Baker Administration announced the creation of the Executive Office of Technology Services and Security (EOTTS), which is tasked with centralizing the state's IT infrastructure services and reviewing and updating policies and procedures governing state cybersecurity, digital platforms, and data management. Governor Baker has said that the new secretariat will allow state government to streamline state services and improve the state's cybersecurity. Mark Nunnelly, the Executive Director of the Massachusetts Office of Information Technology and a former revenue commissioner, will serve as the first EOTTS Secretary. The Commonwealth does currently have data security regulations (201 CMR 17.00). Effective as of March 1, 2010, the regulations establish minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. The regulations require persons who own or license personal information about a resident of Massachusetts to develop comprehensive information security programs. ML Strategies will continue to monitor and periodically report on developments related to cybersecurity in the Commonwealth.