• Sign In
  • Get Started
HomeBlog4 States Passed Nearly Half of All New Cybersecurity Laws Enacted Across the US in 2022

4 States Passed Nearly Half of All New Cybersecurity Laws Enacted Across the US in 2022

Whether aimed at training workers or regulating insurers, Drata identified the states enacting the most cybersecurity laws over the last year.
Dom DiFurio

by Dom DiFurio

March 29, 2023
4 States Cybersecurity Laws
Contents
Maryland and Florida Passed the Most New Legislation of All StatesKentuckyVirginiaFloridaMaryland

As employers in the private and public sectors adjust to the advent of flexible work over the last two years, they're simultaneously trying to protect their organizations from attackers looking to steal and sell data.

2021 was a year defined by significant cyberattacks that crippled infrastructure and shut down hospitals, schools, and municipal governments. It's the same year the Colonial Pipeline, which supplies gasoline to millions living in the Northeast U.S., was hobbled by a ransomware attack that triggered a gas panic and elevated prices for consumers.

And lawmakers were paying attention—passing dozens of laws in 2022 aimed at training workers, securing government agencies, and funneling money into cybersecurity education programs.

Drata analyzed legislation across all 50 states tracked by the National Conference of Legislatures to identify the states where the most cybersecurity regulations were enacted in 2022. At least 25 states enacted 43 laws that address cybersecurity concerns, out of more than 250 bills proposed and considered by legislatures, including in U.S. territories.

The Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, describes cybersecurity as the "art" of defending computers, electronic devices, and networks against malicious attacks seeking to compromise their function or data.

Companies and government organizations employ cybersecurity methods to keep people who aren't authorized to see certain information out of those digital spaces and to secure private information or company trade secrets from prying eyes, including criminals.

The average cost of a data breach at a U.S. company in 2022 was $9.4 million, according to IBM's annual report on cybersecurity threats. Ransomware is one of the most common forms of attack. In a ransomware attack, the offender gains access to a network, takes private information that can often be sensitive, and locks it up with a code only the attacker knows—demanding a ransom be paid to regain access. But access isn't always granted after a ransom is paid.

While voluntary compliance with standards such as SOC 2 or ISO 27001 can help companies thwart such attacks, many states have enacted legislation to enforce security standards, consequences for committing an attack, and more.

Maryland and Florida Passed the Most New Legislation of All States

Maryland's newest cybersecurity-oriented laws expand on training programs and dedicate public money to protecting digital and information technology infrastructure throughout its state and local governments, including setting standards for its 911 emergency telephone system. It also places new requirements on health care and insurance providers.

In Florida, newly enacted laws will require municipalities to adopt cybersecurity standards, report incidents of ransomware, assess steep fines against perpetrators of attacks, and prevents government agencies from paying ransomware demands.

About half of the states in the U.S. did not enact any cybersecurity-related legislation in 2022. Some of those states may convene to make laws less frequently, like Texas, which has a state legislature that gathers every other year. Other states, including Oregon, proposed new laws but did not pass any of them through their legislatures.

Kentucky

Enacted: 3

Failed: None

Vetoed: None

The Kentucky legislature passed three laws in 2022, one of which was a mostly ceremonial resolution urging Congress to take action to mitigate cyberattacks and specifically ransomware. The other two create cybersecurity regulations that apply to insurance firms and investment advisors.

Licensed insurers based in Kentucky will have to implement and report cybersecurity and data privacy standards annually to the state. It also requires organizations to report cybersecurity events to the state no less than three days from when they're discovered. It carries a penalty of up to $10,000 per violation. The new law does not apply to any companies already in compliance with federal data privacy and breach laws like the Gramm-Leach-Bliley Act of 1999 or rules issued by the U.S. Department of Health and Human Services.

The other law simply requires all registered investment advisors to create and implement cybersecurity policies that "ensure the confidentiality, integrity, and availability of physical and electronic records and information."

Virginia

Enacted: 3

Failed: 2

Vetoed: None

In Virginia, lawmakers passed laws requiring public sector agencies to report all cybersecurity incidents to its Virginia Fusion Intelligence Center and allocating funding to help employers in the state attract and retain cybersecurity professionals. The state is sending tens of millions to help recruit faculty at Virginia Tech.

Florida

Enacted: 4

Failed: 10

Vetoed: None

Florida passed four laws related to cybersecurity in 2022, including a budget bill that allocates $20.5 million to higher education and workforce development in the industry. About half of that money was earmarked for the Florida Center for Cybersecurity at the University of South Florida while the other half will go to building a "Cyber Attack and Simulation Range" for "highly technical" training. The state is also dedicating $50 million to implement a 2021 task force's recommendation for better cybersecurity protections for the state's businesses and government agencies.

It also passed a law that exempted some aspects of cybersecurity attacks and data breaches from public records law, where the information would help criminals learn about "detection, investigation, or response practices." It does not stop government agencies from reporting the number of incidents and general information about each.

A new Florida statute will also create a penalty for the perpetrators of attacks against government entities equal to twice the total of the ransom demanded.

Maryland

Enacted: 8

Failed: 17

Vetoed: 2

The Modernize Maryland Act of 2022 included requirements for water and sewer systems to assess and report cybersecurity vulnerabilities to the government. It also created a commission and fund to support and implement state and local government cybersecurity investments before the end of 2030.

The state also passed a law setting cybersecurity standards for health care organizations, including most insurers and those that provide care to Medicaid patients. It requires organizations to issue thorough notifications about data breaches affecting more than 250 people in the state and carries a fine of up to $125,000 for each violation of the law. 

These standards are distinct from other privacy acts such as the Health Insurance Portability and Privacy Act (HIPAA) but relate similarly to the required protection of private client information. 

Another bill revised and expanded the state's Cybersecurity Public Service Scholarship Program for students interested in pursuing a cybersecurity career. Previously the program supported students who went on to work for state agencies. Now it includes those who go to work for schools and colleges as well as county and municipal governments.

Among the 17 measures that failed in Maryland was one that would have given small businesses a state tax break for spending on cybersecurity measures.

Trusted Newsletter
Resources for you
HIPAA Compliance Healthtech

HIPAA Compliance: How Healthtech Companies Can Remain Compliant

FDA Cybersecurity Check

FDA: Get Cybersecurity in Check or Don’t Bring a Medical Device to Market

Cybersecurity Talent Shortage

What You Need to Know About the Cybersecurity Workforce Gap

Cost of Not Being Compliant with Frameworks

The Cost of Non-Compliance

Dom DiFurio
Dom DiFurio
Data Journalist

2023 Compliance Trends Report

Drata surveyed 300 established and enterprise organizations to tap the pulse of the state of risk and compliance. In doing so, we identified related trends, perceptions, and how compliance impacts the business. This year, the primary takeaway is that a mature compliance program will accelerate a business, not slow it down.

Access Report
Image - 2023 Compliance Trends Report
Related Resources
HIPAA Compliance Healthtech

HIPAA Compliance: How Healthtech Companies Can Remain Compliant

FDA Cybersecurity Check

FDA: Get Cybersecurity in Check or Don’t Bring a Medical Device to Market

Cybersecurity Talent Shortage

What You Need to Know About the Cybersecurity Workforce Gap

Cost of Not Being Compliant with Frameworks

The Cost of Non-Compliance