A limited number of states have implemented cybersecurity laws governing the private sector, including Massachusetts and New York, which mandate reasonable data security practices.  For instance, the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth (Massachusetts Cybersecurity Law), enacted in 2010, requires all persons that own or license personal information about Commonwealth residents to develop, implement, and maintain a comprehensive information security program.  

Like to the Massachusetts Cybersecurity Law, the data security provisions of the New York SHIELD Act, which took effect in March 2020, impose obligations on persons or business that own or license private information about residents of New York. These businesses must develop, implement, and maintain cybersecurity programs based on assessed risk, ongoing monitoring, incident response planning, and limited data retention and disposal. The SHIELD Act carves out certain exemptions for small businesses and deems compliant entities that otherwise satisfy applicable regulatory obligations, such as under Graham-Leach-Bliley.

Several state-level regulators also have adopted sector-specific cybersecurity regulations.  Of note, the New York Department of Financial Services has adopted a robust set of cybersecurity rules that impose significant requirements—including encryption, multi-factor authentication, breach notification, and other very detailed obligations—on entities that it regulates.¹

 ¹ N.Y. Codes R. & Regs. tit. 23, § 500.