Only 18% Of Cybersecurity Laws Passed In 2018, Despite Consumers Losing $1.4B In Cybercrimes

Only 18% Of Cybersecurity Laws Passed In 2018, Despite Consumers Losing $1.4B In Cybercrimes

Written by
October 29, 2022

According to data from the National Conference of State Legislatures (NCSL), over 265 cybersecurity laws were proposed at the state level in 2018 — yet only 18% have passed.

This comes at a pivotal moment in time as the year comes to a close. Cybercrimes aren’t an emerging phenomenon; they’re happening all around us, every single day.

On-going data breaches from social media networks like Facebook, the EU’s roll-out of GDPR rules and recent revelations about vulnerabilities within U.S. election infrastructure has thrust cybersecurity concerns back into the news cycle here in the United States. The U.S. lags among nations in its cybersecurity laws, but the issue seems to be (slowly) gaining attention from elected officials across the country.

Cybercrime Is Booming

Cybercrime, an umbrella term for crime executed through the use of computer networks and the Internet, has ballooned in recent years as more and more of our daily lives are conducted online. In 2017, cybercrime in the US cost victims at least $1.4 billion, according to a May 2018 report from the FBI’s Internet Crime Complaint Center, better known as IC3.

That number is considered a conservative estimation, based on the 300,000 complaints the IC3 received during 2017. According to the FBI, many people don’t actually report cybercrimes. The month of October has been designated “National Cybersecurity Awareness Month”, and this year the Department of Homeland Security (DHS) launched an awareness campaign to promote cybersecurity principles among the public, urging citizens to be more careful with how they submit personal information online.

But the vulnerabilities posed by increasingly sophisticated cybercrimes aren’t limited to consumer actions. The largest and potentially most damaging data breaches that we saw in 2017 — such as the now-infamous Equifax breach — were the result of slack security protocols at big companies, something that consumers have no control over. Critical infrastructure is also at risk from attack. In 2017, a wave of electricity companies were struck by hackers who were able to take control of grid networks.

Election infrastructure is also at risk. 2018 saw a surge in cybercrimes related to federal, state and local elections across the US, following a similar surge in 2016.

With electoral cybercrimes making huge headlines over the last 2 years, the issue has never been more in the public eye than it is right now.

Federal-level cybersecurity lags

Cybersecurity policies across agencies at the federal level lag behind European counterparts. In 2015, President Obama signed into law the Cybersecurity Information Sharing Act, referred to as CISA, which created a public-private framework for businesses and government agencies to voluntarily share valuable information about cybersecurity threats. The bill enjoyed widespread bipartisan support, and security experts agree that the legislation was a good first step in bolstering the country’s approach to cybercrime.

Among federal agencies, little progress has been made. A recent report released by the White House’s Office of Management and Budget (OMB) concluded that of the 96 federal agencies assessed, 74% were at risk to cyber attacks and needed immediate improvements to their cybersecurity infrastructure. The outlook worsened when President Trump eliminated the cybersecurity coordinator on the National Security Council, a position created by President Obama, fueling concerns that the country’s progress on cybersecurity was eroding.

Congress, meanwhile, successfully passed Rep. Michael McCaul’s Cybersecurity and Infrastructure Security Agency Act, which president Trump signed into law in November 2018. This bill establishes the DHS’s National Protection and Programs Directorate (NPPD) as a standalone federal Cybersecurity and Infrastructure Security Agency (CISA), charged with overseeing federal and civilian cybersecurity programs covering critical infrastructure, and will oversee various cybersecurity offices within the federal government, including the Federal Protective Service (FPS), the Office of Biometric Identity Management (OBIM), the Office of Cyber and Infrastructure Analysis (OCIA), the Office of Cybersecurity & Communications (OC&C), and the Office of Infrastructure Protection (OIP).The agency will remain under the purview of DHS, but will have more authority in its duties and will receive increased funding.

State-level cybersecurity measures

States are finding their IT and data infrastructure increasingly attractive to hackers, ransomware and other cybercrime operations. In March 2018, for example, Colorado’s Department of Transportation was hit twice in two weeks with ransomware attacks. In California, several democratic candidates were targeted by hackers during the lead-up to the recent midterm elections; and in October, it was discovered that at least 19 states had voter registration information covering 35 million U.S. citizens stolen and sold on the Internet.

In general, state governments are steadily (if slowly) making progress on cybersecurity programs. A November 2018 Deloitte-NASCIO Cybersecurity Study found that all 50 states now have a statewide chief information security officer (CISO) or equivalent. State legislatures have also seen a deluge of cybersecurity bills proposed, but only a handful each year have made it into law. In 2017, over 240 bills related to cybersecurity were introduced across 41 states, despite just 40 being enacted. In 2018, that number grew to over 265 bills, and yet so far only slightly more than 50 bills have been passed across 22 states. (See the full table of all bills below.) 

For every year that states drag their feet at establishing comprehensive, effective cybercrime bills, consumers stand to lose billions of dollars online.

Statewide cybersecurity organizations: New Jersey

States are taking unique approaches to cybersecurity programs, but New Jersey stands out as a clear pioneer in effective cybersecurity measures. The state’s Cybersecurity and Communications Integration Cell was founded by executive order under Gov. Chris Christie in 2015 to act as a one-stop shop for cybersecurity information sharing, analysis, and incident reporting across the state. The program is based on the federal Department of Homeland Security’s National Cybersecurity Communications Integration Center (NCCIC).

Many of the cybersecurity bills proposed and passed across state legislatures are aimed at shoring up state government IT practices to protect against possible data breaches. The Kansas state legislature, for example, passed its Cybersecurity Act of 2018 during the most recent legislative session, formalizing some of the state’s current cybersecurity practices and laying the foundation for the creation of a statewide cybersecurity council.

Now more than ever, users are demanding more access to information about how, when, and where their private data is being used.

Data breach rules to protect citizens: New York and California

States are also grappling with how to protect residents from businesses’ data breaches. Only a handful of states, including California and New York, have created laws aimed at governing cybersecurity requirements for companies that have access to sensitive data.

In 2016, New York Gov. Andrew Cuomo and the state’s Department of Financial Services proposed new regulations designed to require banks, insurance companies and other financial institutions to develop their own cybersecurity programs and designate CISOs. The regulations are considered an important first for state governments in dealing with cybercrime, though some experts disagree as to the effectiveness of the regulations in light of similar rules at the federal level.

More recently, California Gov. Jerry Brown signed the California Consumer Privacy Act of 2018 into law in June. The legislation, introduced by Assembly member Ed Chau (D) and state Sen. Robert Hertzberg (D) and approved with unanimous support, is widely considered the U.S.’s strictest online privacy law on the books. The law, which takes effect in 2020, is similar to the EU’s recently implemented GDPR rules: it gives consumers control over their personal data, granting them the right to know what data is being collected, how it is being collected and how it is being used.

Why isn’t cybersecurity prioritized more?

Despite these significant advancements, the majority of U.S. state governments are still struggling with how best to move forward on cybercrime issues. A controversial bill considered in Georgia’s state assembly points to one of the more prominent reasons why U.S. states have had a hard time passing cybersecurity laws: the technology is complicated, and the level of IT- and security-literacy is woefully low among elected officials.

After the Atlanta city government suffered an embarrassing ransomware attack in March 2018, state Sen. Bruce Thompson (R) introduced SB 315. The proposed legislation sought to define a new type of cybersecurity crime that would have made knowingly attempting “unauthorized computer access” illegal. The bill was approved by the state legislature, despite drawing criticisms from cybersecurity experts and technology stakeholders, including executives from Google and Microsoft.

A contentious provision of the bill would have made a special exemption for unauthorized access to computers or computer networks by organizations seeking to prevent attacks on their own networks. The exemption, critics argued, would have broadly authorized the hacking of other networks and systems under the undefined guise of cybersecurity.

“Network operators should indeed have the right and permission to defend themselves from attack, but, before Georgia endorses ‘hack back’ authority in ‘defense’ or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy,” Google and Microsoft executives wrote in a letter to Gov. Deal. “Provisions such as this could easily lead to abuse and be deployed for anticompetitive, not protective purposes.”

Georgia Gov. decided that the bill and its controversial provisions “may inadvertently hinder the ability of government and private industries” to protect against online breaches and hacks, and vetoed the bill in May 2018.

The SNAFU is illustrative of a wider lack of knowledge on cybersecurity among elected and appointed officials within local, state and federal governments. The OMB report mentioned above noted that agencies do not understand cybercrime threats and do not have the resources to combat the current threat environment posed by cyber attacks. With less funding, it’s safe to assume state governments and officials are equally ill-equipped to deal with such threats.

At the enterprise level, businesses in the U.S suffer from a similar “cybersecurity skills gap.”

Companies are having a hard time finding qualified personnel to takeover cybersecurity positions. Information security nonprofit ISACA’s 2018 State of Cybersecurity report, for example, found that 59% of businesses studied currently have unfilled cybersecurity positions, and 30% of businesses surveyed reported that fewer than 25% of applicants for cybersecurity positions are actually qualified to fill those positions.

The US has great potential to be a leader in the realm of cybersecurity, if crucial changes are made in time to stop the steadily increasing rate of cybercrime instances in the nation.

Cybersecurity solutions: what needs to happen to stop the bleed

The 2018 cybersecurity infrastructure law (sometimes also referred to as “CISA”) may address some of the shortcomings of the 2015 CISA law, but it’s still too early to tell just how impactful the new legislation will be. On paper, it looks more like a organizational shuffle than anything else.

At the federal level, a more disciplined approach to IT network security, data policies and cybercrime monitoring would help the U.S. catch-up to European counterparts. The OMB report, for instance, recommends standardizing cybersecurity processes and IT capabilities across federal agencies.  

In the meantime, state governments will continue to shoulder the burden of cybersecurity. Recognizing this imperative, 39 state governors banded together in 2017 to sign an interstate cybersecurity compact. The “Compact to Improve State Cybersecurity” outlines a set of guidelines for states establishing cybersecurity programs. Recommendations include conducting risk assessments for critical infrastructure, developing integrated data governance policies aimed at better managing data within state networks and systems; incentivizing students and veterans to enter cybersecurity training programs, and creating information-sharing frameworks between state agencies.

And as data breaches become more common — and more devastating — state officials are taking measure to protect their residents. In December 2018, twelve state attorneys general filed suit against a group of healthcare IT companies in the wake of a data breach that occurred in 2015. We may see more of these types of lawsuits moving forward.

Cybersecurity laws passed, pending, or rejected as of Q4 2018

State Law Status State
AZ EO 3 Executive order AZ
CA A 1678 Enacted, Chap. 2108-96 CA
CA A 1859 Enacted, Chap. 2018-532 CA
CA A 1906 Enacted, Chap. 2018-860 CA
CA A 2225 Enacted, Chap. 2018-535 CA
CA A 2678 Failed-adjourned CA
CA A 2748 Failed-adjourned CA
CA A 2812 Failed-adjourned CA
CA A 2813 Enacted. Chap. 2018-768 CA
CA A 3075 Enacted. Chap. 2018-241 CA
CA A 3193 Status: Failed–adjourned CA
CA S 327 Enacted. Chap. 2018-886 CA
CA S 532 Enacted. Chap. 2018-557 CA
CO E.O. 2 Executive order CO
CO E.O. 29 Executive order CO
CO H 1200 Enacted. Chap. 379 CO
CT S 441 Failed–adjourned. CT
H.B. 755 Enacted. Chap. 60 FL
FL H 1127 Enacted, Chap. 65 FL
FL H 2125 Adjourned FL
FL H 3355 Adjourned FL
FL H 4045 Adjourned FL
FL H 5001 Enacted. Chap. 9 FL
FL S 1880 Failed FL
FL S 608 Failed FL
GA S 315 Vetoed GA
GA SR 318 Adjourned GA
GA SR 454 Adjourned GA
GA SR 929 Adjourned GA
HI H 598 Failed–adjourned. HI
HI S 955 Failed–adjourned. HI
HI H 1089 Failed–adjourned. HI
HI H 2078 Failed–adjourned. HI
HI H 2091 Failed–adjourned. HI
HI SCR 46 Failed–adjourned. HI
IA H 366 Failed–adjourned. IA
IA H 558 Failed–adjourned. IA
IA H 2252 Enacted. Chap. 1149 IA
IA HSB 76 Failed–adjourned. IA
IA HSB 119 Failed–adjourned. IA
IA HSB 185 Failed–adjourned. IA
IA SSB 1045 Failed–adjourned. IA
IA SSB 1105 Failed–adjourned. IA
ID H 606 Enacted. Chap. 142 ID
ID H 607 Enacted. Chap. 258 ID
IL S 3068 Pending IL
IL H 3158 Pending IL
IL H 3342 Enacted. Chap. 587 IL
IL H 3737 Pending IL
IL H 4861 Pending IL
IL H 5090 Pending IL
IL H 5093 Pending IL
IL H 5547 Enacted. Chap. 914 IL
IL HJR 27 Pending IL
IL HJR 59 Adopted IL
IL S 1410 Pending IL
IL S 2651 Enacted. Chap. 623 IL
IL S 3068 Pending IL
IL S 3202 Pending IL
IL S 3203 Pending IL
IL S 3204 Pending IL
IN H 1112 Failed–adjourned IN
IN S 362 Enacted. Chap. 126 IN
KS H 2331 Failed–adjourned. KS
KS H 2359 Failed–adjourned. KS
KS H 2365 Failed–adjourned. KS
KS H 2560 Failed KS
KS H 2675 Failed–adjourned. KS
KS S 204 Failed–adjourned. KS
KS S 342 Failed–adjourned. KS
KS S 56 Enacted, Chap. 97 KS
KY H 200 Enacted. Chap. 169 KY
KY H 244 Enacted. Chap. 78 KY
LA H 601 Enacted, Chap. 712 LA
MA H 1985 Pending MA
MA H 2668 Pending MA
MA H 2813 Pending MA
MA H 2814 Pending MA
MA H 3365 Pending MA
MA H 4702 Pending MA
MA H 4714 Pending MA
MA S 149 Pending MA
MA S 2060 Pending MA
MA S 2076 Pending MA
MA S 2091 Pending MA
MA S 2622 Pending MA
MA S 2656 Pending MA
MD H 364 Failed – Adjourned MD
MD H 456 Failed MD
MD H 767 Failed – Adjourned MD
MD H 1331 Enacted, Chap. 524 MD
MD H 1819 Enacted, Chap. 566 MD
MD H 695 Enacted. Chap. 304 MD
MD H 874 Enacted. Chap. 281 MD
MD H 1331 Enacted, Chap. 524 MD
MD S 204 Enacted, Chap. 415 MD
MD S 228 Enacted, Chap. 578 MD
MD S 281 Status: Enacted. Chap. 151 MD
MD S 376 Failed MD
MD S 882 Failed – Adjourned MD
MD S 892 Failed – Adjourned MD
MI H 4368 Pending MI
MI H 4369 Pending MI
MI H 4697 Pending MI
MI H 4973 Enacted. Chap. 68 MI
MI H 5128 Pending MI
MI H 5257 Enacted. Chap. 95 MI
MI H 5258 Enacted. Chap. 96 MI
MI S 149 Pending MI
MI S 217 Pending MI
MI S 218 Pending MI
MI S 632 Pending MI
MI S 941 Pending MI
MN H 691 Failed–adjourned. MN
MN H 1080 Failed–adjourned. MN
MN H 1896 Failed–adjourned. MN
MN H 2298 Failed–adjourned. MN
MN H 2868 Failed–adjourned. MN
MN H 2958 Failed–adjourned. MN
MN H 3126 Failed–adjourned. MN
MN H 3365 Failed–adjourned. MN
MN H 3639 Failed–adjourned. MN
MN H 3447 Failed–adjourned. MN
MN H 3638 Failed–adjourned. MN
MN H 3644 Failed–adjourned. MN
MN H 3791 Failed–adjourned. MN
MN H 4016 Failed–adjourned. MN
MN H 4099 Failed MN
MN H 4328 Failed–adjourned. MN
MN H 4385 Vetoed MN
MN H 4420 Failed–adjourned. MN
MN S 798 Failed–adjourned. MN
MN S 1251 Failed–adjourned. MN
MN S 1709 Failed–adjourned. MN
MN S 2507 Failed–adjourned. MN
MN S 3020 Failed–adjourned. MN
MN S 3374 Failed–adjourned. MN
MN S 3648 Failed–adjourned. MN
MN S 3656 Vetoed MN
MN S 3764 Failed–adjourned. MN
MN S 3930 Failed–adjourned. MN
MN S 4002 Failed–adjourned. MN
MO H 1355 Enacted. MO
MO H 1998 Failed–adjourned. MO
MO H 2265 Failed–adjourned. MO
MS H 1147 Failed MS
MS S 2698 Failed MS
NE L 247 Failed NE
NE L 757 Enacted NE
NH H 1335 Enacted. Chap. 63 NH
NJ A 1766 Pending NJ
NJ A 3542 Pending NJ
NJ A 3546 Pending NJ
NJ A 3922 Pending NJ
NJ A 3983 Pending NJ
NJ AJR 54 Pending NJ
NJ AJR 86 Pending NJ
NJ S 998 Pending NJ
NJ S 2692 Pending NJ
NJ SJR 22 Pending NJ
NY A 2765 Pending NY
NY A 3311 Pending NY
NY A 3448 Pending NY
NY A 3451 Pending NY
NY A 4422 Pending NY
NY A 5496 Pending NY
NY A 7480 Pending NY
NY A 7781 Pending NY
NY A 7916 Pending NY
NY A 7997 Pending NY
NY A 8501 Pending NY
NY A 8641 Pending NY
NY A 8674 Pending NY
NY A 9013 Pending NY
NY A 9780 Pending NY
NY A 9843 Pending NY
NY A 10486 To Governor. NY
NY S 924 Pending NY
NY S 926 Pending NY
NY S 953 Pending NY
NY S 1563 Pending NY
NY S 2004 Pending NY
NY S 2406 Pending NY
NY S 3654 Pending NY
NY S 4615 Pending NY
NY S 4719 Pending NY
NY S 5946 Pending NY
NY S 6933 Pending NY
NY S 7555 Pending NY
NY S 7599 Pending NY
NY S 7726 Pending NY
NY S 7940 Pending NY
NY S 8138 Pending NY
OH H 466 Pending OH
OH S 220 Enacted. Chap. 104 OH
OH S 327 Pending OH
PA H 32 Pending PA
PA H 1704 Pending PA
PA S 308 Pending PA
PA S 427 Pending PA
PA S 914 Pending PA
RI H 5543 Pending RI
RI H 5954 Pending RI
RI H 7817 Pending RI
SC H 3427 Pending SC
SC H 4950 Override pending SC
TN H 1519 Failed – Adjourned TN
TN S 1681 Failed – Adjourned TN
UT H 174 Enacted. Chap. 125 UT
UT S 242 Enacted. Chap. 444 UT
VA H 258 Failed – Adjourned VA
VA H 279 Failed – Adjourned VA
VA H 685 Failed VA
VA H 727 Enacted. Chap. 52 VA
VA H 1221 Enacted. Chap. 775 VA
VA H 1317 Failed – Adjourned VA
VA H 5002 a Enacted. Chap. 2 VA
VA S 533 Failed – Adjourned VA
VA S 657 Enacted. Chap. 741 VA
VA S 776 Failed VA
VA S 966 Enacted. Chap. 296 VA
VT H 474 Failed–adjourned. VT
VT H.B. 764 Enacted. Chap. 171 VT
VT H 16a Enacted. Chap. 11 VT
WA H 1233 Failed–adjourned. WA
WA H 1418 Failed–adjourned. WA
WA H 1419 Failed–adjourned. WA
WA H 1421 Failed–adjourned. WA
WA H 1472 Failed–adjourned. WA
WA H 1479 Failed–adjourned. WA
WA H 1697 Failed–adjourned. WA
WA H 1830 Failed–adjourned. WA
WA H 1929 Failed–adjourned. WA
WA H 2406 Failed–adjourned. WA
WA H 2172 Failed–adjourned. WA
WA H 2299 Failed–adjourned. WA
WA H 2388 Failed–adjourned. WA
WA H 2086 Failed–adjourned. WA
WA H 2678 Failed–adjourned. WA
WA H 2999 Failed–adjourned. WA
WA S 5048 Failed–adjourned. WA
WA S 5455 Failed–adjourned. WA
WA S 6032 Enacted. Chap. 299 WA
WA S 6202 Failed–adjourned. WA
WV H 4342 Failed–adjourned. WV
WV S 495 Enacted. Chap. 128 WV
WY H 1 Enacted. Chap. 299 WY
DC B 782 Pending DC
DC B 783 Pending DC
DC B 805 Pending DC
PR H 246 Adopted PR
PR HR 257 Pending PR
PR HR 367 Pending PR
PR HR 475 Pending PR
PR SR 158 Pending PR

Are you a journalist or researcher writing about this topic?

Contact us and we'll connect you with a broadband market expert on our team who can provide insights and data to support your work.