Amid the ever-present threats posed by hackers, scammers and other bad actors, more and more states have adopted legislation aimed at bolstering efforts to protect individuals' personal information, creating a patchwork of approaches across the United States.

|

Background

As of November 2023, more than 40 states have introduced proactive cybersecurity legislation, and at least 20 states adopted proactive privacy and/or cybersecurity laws. In addition, there are also federal laws, state constitutional rights, and industry mandates (e.g., for payment card processors) and common law that require companies to proactively adopt "reasonable" measures to protect personal information against "foreseeable" risks that could compromise the integrity, availability and confidentiality of personal data. 

Unsurprisingly, it can be a daunting task for companies to identify which of these laws they are subject to and then adopt and maintain compliant programs, as failure to do so may subject the company to fines, litigation, and reputational harm. Included below is a sampling of states and federal proactive laws adopted as of this writing as well as tips for identifying which of these laws may apply to you, and other recommended best practices to meet the mandates of these laws.