Wyoming Seeks to Fortify its Cybersecurity Laws

Due to growing data security concerns, a bill working its way through the Wyoming Legislature would mandate that the state encrypt sensitive data.

by Trevor Brown, Wyoming Tribune-Eagle, Cheyenne / September 30, 2015

(TNS) -- A proposed new law could force Wyoming to strengthen its cybersecurity policies to shield data from potential hackers.

State lawmakers are considering a bill that would require state agencies to "enforce and maintain a policy regarding the collection, access, security and use of data."

This would include setting up safeguards, requiring employee training and encrypting sensitive information.

It also would require state officials to put in place processes to identify and respond to security breaches.

Flint Waters, the state's CIO, said consistent practices across agencies are important in order to protect both the citizen and business information that the state collects.

"We have an energy economy, so there is all sorts of information that should be protected," he said. "And there should be policies that govern how to keep them secure."

Under the proposal, the required cybersecurity measures for state agencies, as well as boards, commissions and other groups within the state's executive branch, would take effect July 1.

But the proposed legislation also would look at the possibility of extending a similar set of requirements to the state's cities, towns and counties.

It would charge Waters with issuing a report that analyzes the costs, needs and feasibly for local governments to adopt and enforce these safeguards.

Shelley Simonton is the executive director of the Wyoming Association of Municipalities. She said she supports a "high-level" assessment of what threats local government, particularly the smaller communities, face.

"There might not be what we are suspecting to be a concern," she said. "For example, they might do a lot of their processes still with pen and paper."

But she said state funds could be needed to help these small governments - some of which have annual operating budgets of only a few hundred thousand dollars - if there are extra cybersecurity requirements.

The report on implementing the practices for local governments, however, would not be due until Sept. 1. And any requirements wouldn't be considered by lawmakers until 2017 at the earliest.

After taking testimony on the proposal, the Legislature's Task Force on Digital Information Privacy voted to recommend the legislation during its meeting last week.

Sen. Chris Rothfuss, D-Laramie, who co-chairs the group, said he supports the "two-stage" process of getting the state agencies' policies in place and then looking at extending them to local governments.

He added that he is hopeful the state could leverage some of its recourses to help the smaller communities, which he said could be especially vulnerable to online theft.

"If (a small local government) has a computer with an Excel sheet on their network - and if they haven't updated since Windows 98, don't have a firewall or anything - then it's honestly just waiting for someone to come in," he said. "So it might even be that these smaller communities have the most to gain and need the most help."

The legislation will next be considered by the Joint Corporations, Elections and Political Subdivisions Interim Committee when it meets in November.

That group will then decide whether to sponsor the proposal during the 2016 legislative session that begins in February.

©2015 Wyoming Tribune-Eagle (Cheyenne, Wyo.) Distributed by Tribune Content Agency, LLC.