In their 2021 legislative sessions, 42 states and Puerto Rico have introduced more than 300 pieces of legislation pertaining to cybersecurity, according to research from the National Conference of State Legislatures. That compares with 280 pieces of legislation in 38 states in 2020.

Some of these measures, whether in the form of bills or resolutions, go on to create task forces that focus on the state’s own cyber infrastructure. Others focus on training and development, incident response and data protection strategies for citizens’ data.



According to the report from NCSL, this governmental action was in direct response to the influx of cyber threats, particularly at the start of the COVID-19 pandemic in spring and summer of 2020.

While hundreds of these bills are still in “pending” status, a few have successfully passed and have been either enacted or brought forth for the governor’s signature or veto.

For example, in Mississippi, House Bill 633 passed the Computer Science and Cyber Education Equality Act, which implements a mandatory computer science curriculum for students in grades K-12, based on standards that include training in cybersecurity.



Data Connectors partner Spirion has compiled a complete list of all the data protection laws that have passed and that are now enforceable both this and last year. This is a state-by-state dive into the new data protection, breach notification, and third-party service provider reporting requirements.

Some of these pieces of legislation apply specifically to private businesses, government organizations and non-profit organization, which is indicated in the chart. While most of these are enforced by the state attorneys general, this overview offers insight on where these laws are being managed.

Looking for a deep dive into CCPA/CPRA?  Check out this Web Briefing from Spirion on the topic. 



Virginia has had one of the most active state houses in terms of passing cybersecurity legislation, with the most impactful being the state’s March 5 passage of the Consumer Data Protection Act (CDPA). Legislators seem to have taken a page from the 2018 California Consumer Privacy Act (CCPA), but withheld the revenue thresholds for imposing obligations.

However, further legislation in Virginia included the addition of cyber attacks and virtual infrastructure to be included under the Emergency Services and Disaster Law. The state CIO was also given the opportunity to develop security awareness training for all state employees annually. They also expanded the definition of computer trespass, and equated the penalty of someone convincing another to spend cash under false pretenses as a Class 1 misdemeanor.

That said, the bills that remain in “Pending” status may continue to wait there for many months. For example, Maryland, which has more than 20 bills waiting to be voted on, adjourned their session on April 12. With legislative sessions ending as we draw closer to summer, many of these bills may be left untouched until 2022.



Leave a Reply

Your email address will not be published. Required fields are marked *

Recent news posts

This is a sample blog post title.
Featured Image

State, Local, Federal Cybersecurity Executives Confer On 2022 Threats, Attack Landscape

This is a sample blog post title.
Featured Image

Your Weekly DHS/CISA Threat Assessment (September 14)

This is a sample blog post title.
Featured Image

Assistant to the Special Agent in Charge at USSS-DHS Leads Keynote Presentation in Philadelphia

This is a sample blog post title.
Featured Image

CISA Insights: Risk Considerations for Managed Service Provider Customers

This is a sample blog post title.
Featured Image

Your Weekly DHS/CISA Threat Assessment (September 3)

Attend an Event!

Connect and collaborate with fellow security innovators at our Virtual Cybersecurity Summits.

Register Today