Only 18% Of Cybersecurity Laws Passed In 2018, Despite Consumers Losing $1.4B In Cybercrimes

According to data from the National Conference of State Legislatures (NCSL), over 265 cybersecurity laws were proposed at the state level in 2018 — yet only 18% have passed.[1]

This comes at a pivotal moment in time as the year comes to a close. Cybercrimes aren’t an emerging phenomenon; they’re happening all around us, every single day.

On-going data breaches from social media networks like Facebook, the EU’s roll-out of GDPR rules and recent revelations about vulnerabilities within U.S. election infrastructure has thrust cybersecurity concerns back into the news cycle here in the United States. The U.S. lags among nations in its cybersecurity laws, but the issue seems to be (slowly) gaining attention from elected officials across the country.

Cybercrime Is Booming

Cybercrime, an umbrella term for crime executed through the use of computer networks and the Internet, has ballooned in recent years as more and more of our daily lives are conducted online. In 2017, cybercrime in the US cost victims at least $1.4 billion, according to a May 2018 report from the FBI’s Internet Crime Complaint Center, better known as IC3.[2]

That number is considered a conservative estimation, based on the 300,000 complaints the IC3 received during 2017. According to the FBI, many people don’t actually report cybercrimes. The month of October has been designated “National Cybersecurity Awareness Month”, and this year the Department of Homeland Security (DHS) launched an awareness campaign to promote cybersecurity principles among the public, urging citizens to be more careful with how they submit personal information online.

But the vulnerabilities posed by increasingly sophisticated cybercrimes aren’t limited to consumer actions. The largest and potentially most damaging data breaches that we saw in 2017 — such as the now-infamous Equifax breach — were the result of slack security protocols at big companies, something that consumers have no control over. Critical infrastructure is also at risk from attack. In 2017, a wave of electricity companies were struck by hackers who were able to take control of grid networks.[3]

Election infrastructure is also at risk. 2018 saw a surge in cybercrimes related to federal, state and local elections across the US, following a similar surge in 2016.[4]

With electoral cybercrimes making huge headlines over the last 2 years, the issue has never been more in the public eye than it is right now.

Federal-level cybersecurity lags

Cybersecurity policies across agencies at the federal level lag behind European counterparts. In 2015, President Obama signed into law the Cybersecurity Information Sharing Act, referred to as CISA, which created a public-private framework for businesses and government agencies to voluntarily share valuable information about cybersecurity threats. The bill enjoyed widespread bipartisan support, and security experts agree that the legislation was a good first step in bolstering the country’s approach to cybercrime.[5]

Among federal agencies, little progress has been made. A recent report released by the White House’s Office of Management and Budget (OMB) concluded that of the 96 federal agencies assessed, 74% were at risk to cyber attacks and needed immediate improvements to their cybersecurity infrastructure.[6] The outlook worsened when President Trump eliminated the cybersecurity coordinator on the National Security Council, a position created by President Obama, fueling concerns that the country’s progress on cybersecurity was eroding.

Congress, meanwhile, successfully passed Rep. Michael McCaul’s Cybersecurity and Infrastructure Security Agency Act, which president Trump signed into law in November 2018. This bill establishes the DHS’s National Protection and Programs Directorate (NPPD) as a standalone federal Cybersecurity and Infrastructure Security Agency (CISA), charged with overseeing federal and civilian cybersecurity programs covering critical infrastructure, and will oversee various cybersecurity offices within the federal government, including the Federal Protective Service (FPS), the Office of Biometric Identity Management (OBIM), the Office of Cyber and Infrastructure Analysis (OCIA), the Office of Cybersecurity & Communications (OC&C), and the Office of Infrastructure Protection (OIP).The agency will remain under the purview of DHS, but will have more authority in its duties and will receive increased funding.

State-level cybersecurity measures

States are finding their IT and data infrastructure increasingly attractive to hackers, ransomware and other cybercrime operations. In March 2018, for example, Colorado’s Department of Transportation was hit twice in two weeks with ransomware attacks.[7] In California, several democratic candidates were targeted by hackers during the lead-up to the recent midterm elections; and in October, it was discovered that at least 19 states had voter registration information covering 35 million U.S. citizens stolen and sold on the Internet.[8]

In general, state governments are steadily (if slowly) making progress on cybersecurity programs. A November 2018 Deloitte-NASCIO Cybersecurity Study found that all 50 states now have a statewide chief information security officer (CISO) or equivalent.[9] State legislatures have also seen a deluge of cybersecurity bills proposed, but only a handful each year have made it into law. In 2017, over 240 bills related to cybersecurity were introduced across 41 states, despite just 40 being enacted.[10] In 2018, that number grew to over 265 bills, and yet so far only slightly more than 50 bills have been passed across 22 states. (See the full table of all bills below.) 

For every year that states drag their feet at establishing comprehensive, effective cybercrime bills, consumers stand to lose billions of dollars online.

Statewide cybersecurity organizations: New Jersey

States are taking unique approaches to cybersecurity programs, but New Jersey stands out as a clear pioneer in effective cybersecurity measures. The state’s Cybersecurity and Communications Integration Cell was founded by executive order under Gov. Chris Christie in 2015 to act as a one-stop shop for cybersecurity information sharing, analysis, and incident reporting across the state. The program is based on the federal Department of Homeland Security’s National Cybersecurity Communications Integration Center (NCCIC).

Many of the cybersecurity bills proposed and passed across state legislatures are aimed at shoring up state government IT practices to protect against possible data breaches. The Kansas state legislature, for example, passed its Cybersecurity Act of 2018 during the most recent legislative session, formalizing some of the state’s current cybersecurity practices and laying the foundation for the creation of a statewide cybersecurity council.

Now more than ever, users are demanding more access to information about how, when, and where their private data is being used.

Data breach rules to protect citizens: New York and California

States are also grappling with how to protect residents from businesses’ data breaches. Only a handful of states, including California and New York, have created laws aimed at governing cybersecurity requirements for companies that have access to sensitive data.

In 2016, New York Gov. Andrew Cuomo and the state’s Department of Financial Services proposed new regulations designed to require banks, insurance companies and other financial institutions to develop their own cybersecurity programs and designate CISOs.[11] The regulations are considered an important first for state governments in dealing with cybercrime, though some experts disagree as to the effectiveness of the regulations in light of similar rules at the federal level.[12]

More recently, California Gov. Jerry Brown signed the California Consumer Privacy Act of 2018 into law in June. The legislation, introduced by Assembly member Ed Chau (D) and state Sen. Robert Hertzberg (D) and approved with unanimous support, is widely considered the U.S.’s strictest online privacy law on the books.[13] The law, which takes effect in 2020, is similar to the EU’s recently implemented GDPR rules: it gives consumers control over their personal data, granting them the right to know what data is being collected, how it is being collected and how it is being used.

Why isn’t cybersecurity prioritized more?

Despite these significant advancements, the majority of U.S. state governments are still struggling with how best to move forward on cybercrime issues. A controversial bill considered in Georgia’s state assembly points to one of the more prominent reasons why U.S. states have had a hard time passing cybersecurity laws: the technology is complicated, and the level of IT- and security-literacy is woefully low among elected officials.

After the Atlanta city government suffered an embarrassing ransomware attack in March 2018, state Sen. Bruce Thompson (R) introduced SB 315. The proposed legislation sought to define a new type of cybersecurity crime that would have made knowingly attempting “unauthorized computer access” illegal. The bill was approved by the state legislature, despite drawing criticisms from cybersecurity experts and technology stakeholders, including executives from Google and Microsoft.

A contentious provision of the bill would have made a special exemption for unauthorized access to computers or computer networks by organizations seeking to prevent attacks on their own networks. The exemption, critics argued, would have broadly authorized the hacking of other networks and systems under the undefined guise of cybersecurity.

“Network operators should indeed have the right and permission to defend themselves from attack, but, before Georgia endorses ‘hack back’ authority in ‘defense’ or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy,” Google and Microsoft executives wrote in a letter to Gov. Deal. “Provisions such as this could easily lead to abuse and be deployed for anticompetitive, not protective purposes.”

Georgia Gov. decided that the bill and its controversial provisions “may inadvertently hinder the ability of government and private industries” to protect against online breaches and hacks, and vetoed the bill in May 2018.[14]

The SNAFU is illustrative of a wider lack of knowledge on cybersecurity among elected and appointed officials within local, state and federal governments. The OMB report mentioned above noted that agencies do not understand cybercrime threats and do not have the resources to combat the current threat environment posed by cyber attacks. With less funding, it’s safe to assume state governments and officials are equally ill-equipped to deal with such threats.

At the enterprise level, businesses in the U.S suffer from a similar “cybersecurity skills gap.”

Companies are having a hard time finding qualified personnel to takeover cybersecurity positions. Information security nonprofit ISACA’s 2018 State of Cybersecurity report, for example, found that 59% of businesses studied currently have unfilled cybersecurity positions, and 30% of businesses surveyed reported that fewer than 25% of applicants for cybersecurity positions are actually qualified to fill those positions.

The US has great potential to be a leader in the realm of cybersecurity, if crucial changes are made in time to stop the steadily increasing rate of cybercrime instances in the nation.

Cybersecurity solutions: what needs to happen to stop the bleed

The 2018 cybersecurity infrastructure law (sometimes also referred to as “CISA”) may address some of the shortcomings of the 2015 CISA law, but it’s still too early to tell just how impactful the new legislation will be. On paper, it looks more like a organizational shuffle than anything else.

At the federal level, a more disciplined approach to IT network security, data policies and cybercrime monitoring would help the U.S. catch-up to European counterparts. The OMB report, for instance, recommends standardizing cybersecurity processes and IT capabilities across federal agencies.

In the meantime, state governments will continue to shoulder the burden of cybersecurity. Recognizing this imperative, 39 state governors banded together in 2017 to sign an interstate cybersecurity compact. The “Compact to Improve State Cybersecurity” outlines a set of guidelines for states establishing cybersecurity programs. Recommendations include conducting risk assessments for critical infrastructure, developing integrated data governance policies aimed at better managing data within state networks and systems; incentivizing students and veterans to enter cybersecurity training programs, and creating information-sharing frameworks between state agencies.

And as data breaches become more common — and more devastating — state officials are taking measure to protect their residents. In December 2018, twelve state attorneys general filed suit against a group of healthcare IT companies in the wake of a data breach that occurred in 2015.[15] We may see more of these types of lawsuits moving forward.

Cybersecurity laws passed, pending, or rejected as of Q4 2018

State LawStatusState
AZ EO 3Executive orderAZ
CA A 1678Enacted, Chap. 2108-96CA
CA A 1859Enacted, Chap. 2018-532CA
CA A 1906Enacted, Chap. 2018-860CA
CA A 2225Enacted, Chap. 2018-535CA
CA A 2678Failed-adjournedCA
CA A 2748Failed-adjournedCA
CA A 2812Failed-adjournedCA
CA A 2813Enacted. Chap. 2018-768CA
CA A 3075Enacted. Chap. 2018-241CA
CA A 3193Status: Failed–adjournedCA
CA S 327Enacted. Chap. 2018-886CA
CA S 532Enacted. Chap. 2018-557CA
CO E.O. 2Executive orderCO
CO E.O. 29Executive orderCO
CO H 1200Enacted. Chap. 379CO
CT S 441Failed–adjourned.CT
H.B. 755Enacted. Chap. 60FL
FL H 1127Enacted, Chap. 65FL
FL H 2125AdjournedFL
FL H 3355AdjournedFL
FL H 4045AdjournedFL
FL H 5001Enacted. Chap. 9FL
FL S 1880FailedFL
FL S 608FailedFL
GA S 315VetoedGA
GA SR 318AdjournedGA
GA SR 454AdjournedGA
GA SR 929AdjournedGA
HI H 598Failed–adjourned.HI
HI S 955Failed–adjourned.HI
HI H 1089Failed–adjourned.HI
HI H 2078Failed–adjourned.HI
HI H 2091Failed–adjourned.HI
HI SCR 46Failed–adjourned.HI
IA H 366Failed–adjourned.IA
IA H 558Failed–adjourned.IA
IA H 2252Enacted. Chap. 1149IA
IA HSB 76Failed–adjourned.IA
IA HSB 119Failed–adjourned.IA
IA HSB 185Failed–adjourned.IA
IA SSB 1045Failed–adjourned.IA
IA SSB 1105Failed–adjourned.IA
ID H 606 Enacted. Chap. 142ID
ID H 607 Enacted. Chap. 258ID
IL S 3068PendingIL
IL H 3158PendingIL
IL H 3342Enacted. Chap. 587IL
IL H 3737PendingIL
IL H 4861PendingIL
IL H 5090PendingIL
IL H 5093PendingIL
IL H 5547Enacted. Chap. 914IL
IL HJR 27PendingIL
IL HJR 59AdoptedIL
IL S 1410PendingIL
IL S 2651Enacted. Chap. 623IL
IL S 3068PendingIL
IL S 3202PendingIL
IL S 3203PendingIL
IL S 3204PendingIL
IN H 1112Failed–adjournedIN
IN S 362 Enacted. Chap. 126IN
KS H 2331Failed–adjourned.KS
KS H 2359Failed–adjourned.KS
KS H 2365Failed–adjourned.KS
KS H 2560FailedKS
KS H 2675Failed–adjourned.KS
KS S 204Failed–adjourned.KS
KS S 342Failed–adjourned.KS
KS S 56 Enacted, Chap. 97KS
KY H 200 Enacted. Chap. 169KY
KY H 244 Enacted. Chap. 78KY
LA H 601Enacted, Chap. 712LA
MA H 1985PendingMA
MA H 2668PendingMA
MA H 2813PendingMA
MA H 2814PendingMA
MA H 3365PendingMA
MA H 4702PendingMA
MA H 4714PendingMA
MA S 149PendingMA
MA S 2060PendingMA
MA S 2076PendingMA
MA S 2091PendingMA
MA S 2622PendingMA
MA S 2656PendingMA
MD H 364Failed – AdjournedMD
MD H 456FailedMD
MD H 767Failed – AdjournedMD
MD H 1331 Enacted, Chap. 524MD
MD H 1819 Enacted, Chap. 566MD
MD H 695 Enacted. Chap. 304MD
MD H 874 Enacted. Chap. 281MD
MD H 1331Enacted, Chap. 524MD
MD S 204 Enacted, Chap. 415MD
MD S 228 Enacted, Chap. 578MD
MD S 281 Status: Enacted. Chap. 151MD
MD S 376FailedMD
MD S 882Failed – AdjournedMD
MD S 892Failed – AdjournedMD
MI H 4368PendingMI
MI H 4369PendingMI
MI H 4697PendingMI
MI H 4973 Enacted. Chap. 68MI
MI H 5128PendingMI
MI H 5257 Enacted. Chap. 95MI
MI H 5258 Enacted. Chap. 96MI
MI S 149PendingMI
MI S 217PendingMI
MI S 218PendingMI
MI S 632PendingMI
MI S 941PendingMI
MN H 691Failed–adjourned.MN
MN H 1080Failed–adjourned.MN
MN H 1896Failed–adjourned.MN
MN H 2298Failed–adjourned.MN
MN H 2868Failed–adjourned.MN
MN H 2958Failed–adjourned.MN
MN H 3126Failed–adjourned.MN
MN H 3365Failed–adjourned.MN
MN H 3639Failed–adjourned.MN
MN H 3447Failed–adjourned.MN
MN H 3638Failed–adjourned.MN
MN H 3644Failed–adjourned.MN
MN H 3791Failed–adjourned.MN
MN H 4016Failed–adjourned.MN
MN H 4099FailedMN
MN H 4328Failed–adjourned.MN
MN H 4385VetoedMN
MN H 4420Failed–adjourned.MN
MN S 798Failed–adjourned.MN
MN S 1251Failed–adjourned.MN
MN S 1709Failed–adjourned.MN
MN S 2507Failed–adjourned.MN
MN S 3020Failed–adjourned.MN
MN S 3374Failed–adjourned.MN
MN S 3648Failed–adjourned.MN
MN S 3656VetoedMN
MN S 3764Failed–adjourned.MN
MN S 3930Failed–adjourned.MN
MN S 4002Failed–adjourned.MN
MO H 1355Enacted.MO
MO H 1998Failed–adjourned.MO
MO H 2265Failed–adjourned.MO
MS H 1147FailedMS
MS S 2698FailedMS
NE L 247FailedNE
NE L 757 EnactedNE
NH H 1335 Enacted. Chap. 63NH
NJ A 1766PendingNJ
NJ A 3542PendingNJ
NJ A 3546PendingNJ
NJ A 3922PendingNJ
NJ A 3983PendingNJ
NJ AJR 54PendingNJ
NJ AJR 86PendingNJ
NJ S 998PendingNJ
NJ S 2692PendingNJ
NJ SJR 22PendingNJ
NY A 2765PendingNY
NY A 3311PendingNY
NY A 3448PendingNY
NY A 3451PendingNY
NY A 4422PendingNY
NY A 5496PendingNY
NY A 7480PendingNY
NY A 7781PendingNY
NY A 7916PendingNY
NY A 7997PendingNY
NY A 8501PendingNY
NY A 8641PendingNY
NY A 8674PendingNY
NY A 9013PendingNY
NY A 9780PendingNY
NY A 9843PendingNY
NY A 10486To Governor.NY
NY S 924PendingNY
NY S 926PendingNY
NY S 953PendingNY
NY S 1563PendingNY
NY S 2004PendingNY
NY S 2406PendingNY
NY S 3654PendingNY
NY S 4615PendingNY
NY S 4719PendingNY
NY S 5946PendingNY
NY S 6933PendingNY
NY S 7555PendingNY
NY S 7599PendingNY
NY S 7726PendingNY
NY S 7940PendingNY
NY S 8138PendingNY
OH H 466PendingOH
OH S 220Enacted. Chap. 104OH
OH S 327PendingOH
PA H 32PendingPA
PA H 1704PendingPA
PA S 308PendingPA
PA S 427PendingPA
PA S 914PendingPA
RI H 5543PendingRI
RI H 5954PendingRI
RI H 7817PendingRI
SC H 3427PendingSC
SC H 4950Override pendingSC
TN H 1519Failed – AdjournedTN
TN S 1681Failed – AdjournedTN
UT H 174Enacted. Chap. 125UT
UT S 242 Enacted. Chap. 444UT
VA H 258Failed – AdjournedVA
VA H 279Failed – AdjournedVA
VA H 685FailedVA
VA H 727 Enacted. Chap. 52VA
VA H 1221 Enacted. Chap. 775VA
VA H 1317Failed – AdjournedVA
VA H 5002 aEnacted. Chap. 2VA
VA S 533Failed – AdjournedVA
VA S 657 Enacted. Chap. 741VA
VA S 776FailedVA
VA S 966 Enacted. Chap. 296VA
VT H 474Failed–adjourned.VT
VT H.B. 764Enacted. Chap. 171VT
VT H 16aEnacted. Chap. 11VT
WA H 1233Failed–adjourned.WA
WA H 1418Failed–adjourned.WA
WA H 1419Failed–adjourned.WA
WA H 1421Failed–adjourned.WA
WA H 1472Failed–adjourned.WA
WA H 1479Failed–adjourned.WA
WA H 1697Failed–adjourned.WA
WA H 1830Failed–adjourned.WA
WA H 1929Failed–adjourned.WA
WA H 2406 Failed–adjourned.WA
WA H 2172Failed–adjourned.WA
WA H 2299Failed–adjourned.WA
WA H 2388Failed–adjourned.WA
WA H 2086Failed–adjourned.WA
WA H 2678Failed–adjourned.WA
WA H 2999Failed–adjourned.WA
WA S 5048Failed–adjourned.WA
WA S 5455Failed–adjourned.WA
WA S 6032 Enacted. Chap. 299WA
WA S 6202Failed–adjourned.WA
WV H 4342Failed–adjourned.WV
WV S 495Enacted. Chap. 128WV
WY H 1 Enacted. Chap. 299WY
DC B 782PendingDC
DC B 783PendingDC
DC B 805PendingDC
PR H 246AdoptedPR
PR HR 257PendingPR
PR HR 367PendingPR
PR HR 475PendingPR
PR SR 158PendingPR

Leave a Reply

Your email address will not be published. Required fields are marked *