Additionally, there was a strong focus on strengthening cybersecurity assets and protecting data privacy.
Here are just a few pieces of legislation we found that could signal changes in the IT landscape.
CALIFORNIA
The California AI-ware Act, also known as CA SB 313, would create the Office of Artificial Intelligence to guide the use of the technology across state government.
The new office, according to the bill, would “guide the design, use and deployment of automated systems by a state agency to ensure that all AI systems are designed and deployed in a manner that is consistent with state and federal laws.”
Additionally, the bill would require that any agency using an artificial intelligence system to communicate with a "natural person" must notify the human user and provide a means for that user to connect with a human representative.
During a May 1 hearing, the bill was placed on the Appropriations Committee's suspense file. This means the bill would see another vote before advancing to the Senate floor.
TEXAS
A bipartisan group of Texas lawmakers is behind House Bill 2060, a proposal that could create a state artificial intelligence advisory council. That council would be composed of seven nonpaid members appointed by the governor, the House and Senate.
Each state agency would be tasked with conducting an inventory of "automated decision systems" for review no later than July 1, 2024.
The council would be charged with studying the AI systems being used and procured by state agencies with the goal of identifying the need for policies and any recommendations for administrative action. These recommendations would be due to the Legislature no later than Dec. 1, 2024.
The bill was referred to the Business and Commerce Committee for further review April 24.
HAWAII
In less concrete legislative action, Hawaii lawmakers passed and Gov. Josh Green signed Senate Concurrent Resolution 179 April 28 calling on Congress to "begin a discussion considering the benefits and risks of artificial intelligence technologies."
The document cites the potential for both enormous societal benefits and unintended consequences, and urges a national discussion about the use of the technology in law enforcement and military applications. Hawaii lawmakers urged the creation of safeguards, citing Isaac Asimov’s three rules of robotics.
KANSAS
On April 18, Gov. Laura Kelly signed House Bill 2019 into law creating new cybersecurity breach notification and training requirements.
The law mandates that any public entity experiencing a significant cybersecurity incident to notify the Kansas Information Security Office (KISO), the primary agency responsible for cybersecurity in the state, within 72 hours if the incident “involves the confidentiality, integrity or availability of personal information or confidential information."
The legislation also states that “any entity connected to the Kansas criminal justice information system shall report any cybersecurity incident in accordance with rules and regulations adopted by the Kansas criminal justice information system committee.”
During the 2018 legislative session, the state implemented the Kansas Cybersecurity Act, which established requirements for state agencies to develop and implement inclusive cybersecurity programs and establishes a fund to support cybersecurity efforts across the state, including training and education programs for government entities.
NEVADA
In Nevada, Senate Bill 370 looks to outline protections for health-related data collection and use. The legislation, which now sits with the Committee on Commerce and Labor, would require entities to create and maintain an accessible policy around consumer health data and would prohibit the collection of health data without consent.
Under the proposal, certain entities would also be required to create and share policies around the storage and retention of biometric data.
OKLAHOMA
The Oklahoma Hospital Cybersecurity Protection Act of 2023, also known as House Bill 2790, is a voluntary measure that allows covered entities to seek an "affirmative defense” in the event of a data breach. The legislation, which was signed into law April 28 by Gov. Kevin Stitt, outlines the requirements an entity must meet in order to avoid liability for the exposure of personal data.
Under the new law, entities would be required to maintain documentation of their compliance with a written cybersecurity plan, and that plan would need to conform to an industry-recognized cybersecurity framework.
The state has enacted several cybersecurity-related laws over the past few years to protect government entities from being blamed for data breaches through affirmative action defenses.
The Oklahoma Security Breach Notification Act, which requires entities that collect and store personal information to notify affected individuals if a breach occurs, took a similar approach to the most recent law by offering safe harbor protections for entities that have reasonable security measures in place.
