According to the proposal, this information includes names, health records, credit reports, credit card numbers, sealed court records and addresses.
The idea for the commission came after former Senate President Stanley Rosenberg requested that a special commission be formed to study cyber-based incidents, according to Sen. Michael Moore, D-District 38.
Based on the information found by the commission, it was recommended that a joint committee within the state’s House and Senate be created to address cybersecurity-related issues.
This year, Senate President Karen Spilka advanced the committee leading to S.2088 being filed.
“This legislation was filed last session, but with the pandemic, a lot of legislative issues went on the back burner,” Moore said. “We looked at the public utilities commission as a guide for setting up an organizational structure.”
Once that structure was put in place, “it was important for us to set minimum standards. Right now, we don’t have any minimum standards to protect personal data within government infrastructure,” he said.
To create these standards, input from representatives from different sectors, including finance and health care, was reviewed during the process.
From that input, the commission found that each sector followed different cybersecurity standards.
“The last thing we wanted to do was have a standard that applied to banks or financial institutions that didn’t cover the concerns or platforms used by health care,” Moore said.
“We wanted to have enough voices from individual sectors to help determine which standards to include,” he added.
One of these standards includes businesses undergoing a cybersecurity accreditation process.
Businesses that have contracts with state agencies or handle critical infrastructure or data would be required to adopt the commission’s standards for their specific sector, including undergoing an accreditation process.
“Say you are an industry partner in health care or banking, you may want to do due diligence on that organization to get a better idea of how they protect their data,” Moore explained. “One way to do that is to see if the company is accredited and follows the commission’s standards before moving forward.”
Another potential mandate laid out in the bill is that state agencies that purchase hardware or software acquisitions must meet the minimum standards to ensure that cybersecurity protections are met and would need to provide employees with the training to identify phishing emails and other threats.
“Our laws have not always kept pace with ways technology can be used by both domestic and foreign terrorists,” Rep. Tami Gouveia, D-District 73, said. “For me, I made a conscious decision at the beginning of the session to look at bills that relate to protecting cyber systems, the security of critical infrastructure and critical information.”
As a result, Gouveia said, “I co-sponsored the bill, paying special attention to disinformation or threats to security, including cybersecurity.”
“To fully protect critical data it takes money and resources,” she added. “Figuring that out might be a challenge.”
