Overview of state-level cybersecurity legislation

Cybersecurity governance has been gaining traction at the national level in the past few months, with proposed funding cuts to traditional federal cybersecurity programs on the horizon. While federal regulatory proposals have not yet accompanied these proposed cuts, those could also be forthcoming. State actions frequently set precedents or highlight pressing issues that might require national attention and could inform future federal regulation. Reviewing state-specific regulations can help us understand how they help prepare us for cybersecurity challenges and what insights they offer regarding the potential direction of future federal legislation.

To evaluate state-level cybersecurity reform, Reason Foundation compiled a dataset drawing from the National Conference of State Legislatures (NCSL). The analysis identified 557 cybersecurity-related bills enacted between 2014 and 2024. This timeframe was chosen because the establishment of the NCSL Task Force on Cybersecurity in 2016 marked a critical juncture, signaling the onset of modern cybersecurity legislation in the United States. It followed another significant cybersecurity governance event at the federal level, when President Barack Obama signed into law the Cybersecurity Information Sharing Act (CISA), aimed at enhancing information sharing between the private and public sectors.

Dynamic growth of state-level cybersecurity bills

Figure 1. Number of cybersecurity bills adopted each year from 2014 to 2024.

Source: Author’s calculation using NCSL data.

Figure 1 shows the dynamic growth of cybersecurity legislation activity from 2014 to 2024. Year after year, the map becomes increasingly green, indicating a steady increase in state-level activity. While only four states had adopted any cyber legislation in 2014, most states had adopted some form of regulation by 2024.

Figure 2. Trends in cybersecurity bill activity, 2014–2024.

However, the number of bills adopted is just one measure of legislative activity. The total volume of bills introduced—encompassing adopted, failed, and pending legislation—provides additional insight into the broader momentum and focus of cybersecurity policy. Pending legislation includes all legislation that hasn’t reached a definitive status (either passed or failed) by the end of the session, meaning that the majority of bills are considered dead, and some could have reappeared in another form in future sessions. Figure 2 illustrates the yearly trends of cybersecurity legislation activity, reflecting adopted, failed, and pending bills across all U.S. states and territories.

The data exhibits a clear upward trajectory in cybersecurity legislation, peaking notably in 2023 with an impressive 529 bills introduced in a single year. The slight decline observed in 2024 aligns with a cyclical legislative pattern, where periods of intensive legislative activity are often succeeded by years of reduced legislative proposals, typically due to policy saturation and the need to assess the effectiveness of enacted measures.

Categories of state cybersecurity legislation, 2014-2024

Over the past decade, cybersecurity legislation at the state level has evolved from foundational governance and breach response to proactive frameworks addressing infrastructure, workforce, and AI. This timeline reflects both the maturation of state policy and the changing nature of cyber threats.

Institutional cyber governance (2014-2016)

Between 2014 and 2016, legislative activity addressed institutional preparedness and agency-level accountability. For example, California’s Assembly Bill 2200 in 2014 proposed formalizing the California Cybersecurity Task Force under the Governor’s Office of Emergency Services, reflecting early awareness of the need for statewide coordination. In 2015, Maryland created a State Cybersecurity Council (Senate Bill 542) to coordinate and advise on cybersecurity issues across the state, highlighting proactive government measures toward preparedness and interagency collaboration. The trend toward enhancing institutional preparedness continued into 2016, notably with Colorado’s House Bill 1453, which established the Colorado Cybersecurity Council as a policy-guiding body to oversee comprehensive cybersecurity goals and coordinate across government branches.

Incident response and election integrity (2017–2018)

During 2017 and 2018, state cybersecurity legislation increasingly prioritized incident response strategies and election integrity. In 2017, Nevada’s Assembly Bill 471 established the Nevada Office of Cyber Defense Coordination with a mandate to coordinate incident response, particularly safeguarding state systems from cyberattacks targeting critical infrastructure. Similarly, Illinois enacted House Bill 2371, requiring state employees to undergo annual cybersecurity training, including responding effectively to phishing and spyware incidents, illustrating proactive measures aimed at mitigating threats through workforce readiness.

Election security themes became prominent in 2018 when California’s Assembly Bill 3075 created the Office of Elections Cybersecurity within the Secretary of State’s office. Its role was to coordinate cybersecurity efforts with local election officials to prevent cyber incidents that could disrupt elections or disseminate misleading information online. Additionally, Illinois’ Senate Bill 2651 required local election authorities to implement specific cybersecurity measures, emphasizing the protection of voter registration systems and election databases from cyberattacks.

Blockchain, insurance, and cybercrime (2019-2020)

Between 2019 and 2020, state legislation expanded to include blockchain technology, cyber insurance, and enhanced measures to combat cybercrime. For example, Florida enacted House Bill 1393 in 2019, establishing the Florida Blockchain Task Force to explore blockchain applications for secure recordkeeping and service delivery. Likewise, North Dakota passed House Concurrent Resolution 3004, calling for an assessment of blockchain’s potential benefits for secure electronic voting and administrative efficiency.

A few states adopted comprehensive regulations aligned with the National Association of Insurance Commissioners (NAIC) cybersecurity standards. Alabama’s Senate Bill 54 (2019) mandated that insurers develop information security programs and report cybersecurity events, establishing clear confidentiality protections and penalties for non-compliance. Similarly, Delaware’s House Bill 174(2019) implemented cybersecurity standards for insurers, emphasizing timely investigations and incident notifications.

States also significantly strengthened laws to tackle evolving cybercrime threats. In West Virginia, Senate Bill 261 (2019), lawmakers created explicit criminal penalties targeting ransomware attacks, reflecting a proactive legislative response to rising digital threats. Louisiana enacted House Bill 74 (2019), establishing criminal penalties for unauthorized access to state computer systems, underscoring a growing focus on protecting governmental infrastructure from malicious cyber actors. These efforts continued in 2020, with states like Virginia (Senate Bill 1003) criminalizing cyber crimes that lead to financial harm.

Workforce education and government standards (2021-2022)

During 2021 and 2022, states increasingly recognized the need to strengthen cybersecurity by investing in workforce training and education while also enhancing cybersecurity standards across public agencies. This legislative push emerged in response to heightened vulnerabilities exposed by the remote workforce shift and rising cyber threats.

For example, in West Virginia, Senate Bill 529 (2022) significantly expanded computer science education curricula, explicitly incorporating cybersecurity and digital literacy into school programs. Similarly, Mississippi enacted House Bill 633 in 2021, the Computer Science and Cyber Education Equality Act, mandating comprehensive K–12 instruction in cybersecurity, programming, robotics, and related disciplines, aimed at preparing students for cybersecurity careers. These educational initiatives underscored a legislative acknowledgment of the need to nurture a cyber-literate workforce from an early age.

States also emphasized setting clear cybersecurity benchmarks for government entities to protect critical public infrastructure. For instance, Florida’s House Bill 1297 (2021) required the establishment of stringent cybersecurity oversight standards for state agencies, formalizing cybersecurity responsibilities and creating a dedicated State Cybersecurity Advisory Council. Meanwhile, Wisconsin (Assembly Bill 818 and Senate Bill 786, 2022) considered establishing formal cybersecurity standards and rules for state government entities. Although the bills ultimately failed, Wisconsin’s initiative highlighted a growing recognition of the need for standardized cybersecurity practices across public administration.

Critical infrastructure and social media (2023-2024)

Cybersecurity threats continued to evolve in complexity and severity across states during 2023 and 2024, prompting state legislatures to sharpen their focus on protecting critical infrastructure and mitigating risks posed by social media platforms.

States emphasized legislative efforts to enhance the security of critical infrastructure, recognizing its vulnerability to cyberattacks and the potential for significant disruptions to public services. Arizona introduced Senate Bill 1658 (2023), proposing to restrict agreements involving critical infrastructure with adversarial nations, though the bill was ultimately vetoed. Similarly, Idaho (House Bill 148, 2023) sought to criminalize impeding critical infrastructure (an effort that ultimately failed), while Florida successfully enacted legislation (House Bill 275, 2024) criminalizing intentional damage to critical infrastructure, reflecting heightened state attention to safeguarding essential services from physical and cyber threats.

Social media platforms, particularly those perceived as posing national security threats due to foreign ownership or data management practices, became a significant focus for legislatures. Concerns around TikTok dominated legislative agendas in 2023 and 2024.

Florida enacted legislation explicitly banning prohibited applications, including TikTok, on government-issued devices (Senate Bill 258, 2023). Likewise, Idaho (House Bill 274, 2023) prohibited state employees from downloading or using TikTok on official devices, implementing punitive measures for violations. Beyond TikTok, some states considered broader cybersecurity implications tied to social media. Colorado’s House Bill 1136 (2024) specifically targeted promoting healthier social media use among youth, addressing both cybersecurity and broader public health implications.

Conclusion

This review of state-level cybersecurity legislation provides insights into evolving policy priorities and challenges. Understanding these trends at the state level is crucial for national policymakers, as it highlights key areas of concern, including infrastructure protection, proactive incident response protocols, and election security among other areas. Such areas receiving significant state attention can inform national legislative strategies, helping federal policymakers prioritize effective and relevant cybersecurity measures aligned with localized needs and priorities.

The post Overview of state-level cybersecurity legislation appeared first on Reason Foundation.

Source: https://reason.org/commentary/overview-of-state-level-cybersecurity-legislation/