The Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth (Massachusetts Cybersecurity Law), enacted in 2010, is one of the few cybersecurity-specific state-level laws in the United States. It requires all persons that own or license personal information about Commonwealth residents to develop, implement, and maintain a comprehensive information security program.
In addition to the Massachusetts Cybersecurity Law, several state data breach notification laws require covered entities to implement reasonable information security measures or provide a safe harbor to those entities that have a cybersecurity program. For example, Ohio’s data breach notification law provides a safe harbor for covered entities that adopt and comply with a written cybersecurity program that provides for administrative, technical, and physical safeguards in accordance with industry-recognized cybersecurity frameworks.1
Several state-level regulators also have adopted sector-specific cybersecurity regulations. Of note, the New York Department of Financial Services has adopted a robust set of cybersecurity rules that impose significant requirements—including encryption, multi-factor authentication, breach notification, and other very detailed obligations—on entities that it regulates.2
1 Ohio Rev. Code § 1354.01-.05.
2 N.Y. Codes R. & Regs. tit. 23, § 500.