Cyber-security Regulation - State Government Regulation

State Government Regulation

State governments have attempted to improve cyber-security by increasing public visibility of firms with weak security. In 2003, California passed the Notice of Security Breach Act which requires that any company that maintains personal information of California citizens and has a security breach must disclose the details of the event. Personal information includes name, social security number, driver’s license number, credit card number or financial information. Several other states have followed California’s example and passed similar security breach notification regulations. These security breach notification regulations punish firms for their cyber-security failures while giving them the freedom to choose how to secure their systems. Also, this regulation creates an incentive for companies to voluntarily invest in cyber-security to avoid the potential loss of reputation and the resulting economic loss that can come from a successful cyber-attack.

In 2004, California passed California Assembly Bill 1950 which also applies to businesses that own or maintain personal information for California residents. This regulation dictates that businesses maintain a reasonable level of security and that these required security practices also extend to business partners. This regulation is an improvement on the federal standard because it expands the number of firms required to maintain an acceptable standard of cyber-security. However, like the federal legislation, it requires a “reasonable” level of cyber-security, which leaves much room for interpretation until case law is established.