The February white paper, Tracking Cybersecurity Policy Developments Across State Legislatures, is from the University of California, Berkeley Center for Long-Term Cybersecurity (CLTC), and it takes a comprehensive look at enacted state cybersecurity laws. Shannon Pierson, senior fellow at CLTC and lead author, said the project grew out of the lack of clear, centralized data showing what states are actually doing in cyber.
Of note, Maryland passed 14 of the laws, Texas passed 11, Arkansas passed nine and Florida four. The remaining 33 states passed between one to three bills each.
“I compiled this list using open-source methods, and I wanted to give it to other researchers as well as lawmakers and folks in the cybersecurity and hacking community,” Pierson said. “I wanted this to be a resource for people to learn and also to become engaged and interested.”
Pierson and co-author Sree Varsha Bhanoor, a UC Berkeley graduate student, used LegiScan for research and excluded data privacy and artificial intelligence laws to keep the focus on primarily cyber-specific bills. Bills and the resulting policy actions are now searchable via a public database. The project took about a year and only includes legislation that was passed into law.
More than half, or 51 percent, align with the governance function of the National Institute of Standards and Technology Cybersecurity Framework. Governance laws reflect an emphasis on leadership structures, oversight and reporting requirements. States continue to build or expand centralized cybersecurity offices, establish statewide strategies and require agencies to implement baseline protections.
The most common policy action was mandating cybersecurity controls, such as encryption, access management and secure configurations, Pierson said. Many of the bills, however, rely on broad terms like “reasonable security measures,” leaving agencies to interpret what compliance means. A smaller group of states adopted more specific requirements, including phishing-resistant multifactor authentication or alignment with recognized security frameworks.
The report shows that public schools are a focus. Resulting laws reflect a rise in ransomware attacks on school districts nationwide. New laws require development of uniform cybersecurity policies for schools, convening task forces to recommend standards, and, in some cases, creating state-administered cyber insurance programs.
Despite cybersecurity garnering broad cross-party consensus, a lack of funding remains a significant problem. Many bills lacked dedicated appropriations for required risk assessments, tabletop exercises or new reporting mandates.
“Legislators struggle to pass bills that have funding attached, so they are passing legislation that focuses more on things like reporting and on establishing new standards,” Pierson said. “But without that financial component, it's hard to translate it into action.”
The report also highlights a lack of attention to detection capabilities, she said. Few statutes strengthened states’ ability to continuously watch systems or analyze indicators of compromise, which is a notable gap as federal support for shared services such as the Multi-State Information Sharing and Analysis Center and Electricity Information Sharing and Analysis Center declines.
CLTC recommends that moving forward lawmakers pair mandates with funding, adopt clearer cybersecurity standards and ensure reporting requirements include follow-up action — not just paperwork.
CLTC's public database of the laws is designed to help lawmakers, practitioners and researchers find trends and connect with legislative sponsors.
“I would encourage folks who are in the cybersecurity and hacking community to download the data set and then to filter for their state, and to look at what is passing in their state,” Pierson said. “Look at the kinds of specific controls that are being enacted. … Look at which legislators are advancing legislation successfully, and see if they can potentially make contact with them, to maybe serve as a resource to them.”
