State Data Security Laws - CIPP/US Study Guide

About two-thirds of states require data security measures. Roughly 20 states use a 'reasonable security' standard (e.g., California's AB 1950); about 10 impose prescriptive requirements (Massachusetts is the most prescriptive); and Connecticut, Iowa, Ohio, and Utah use safe harbor laws instead.

Less well known than breach laws, state data security laws require companies to develop and maintain appropriate data security. Federally, no law imposes security standards across all industries, but the health care and financial sectors have federal security provisions, and the FTC uses its Section 5 power to challenge misrepresented security (deceptive) or a failure to provide reasonable procedures (unfair).

Three approaches to state data security laws
Approach	Roughly how many states	Example
Reasonable security standard (no specifics)	~20 states	California AB 1950
Prescriptive/extensive requirements	~10 states	Massachusetts (most prescriptive: authentication, access controls, encryption, monitoring, firewalls, updates, training)
Cybersecurity safe harbor instead of obligations	4 states	Connecticut, Iowa, Ohio, Utah

Three approaches to state data security laws

Approach

Roughly how many states

Example

Reasonable security standard (no specifics)

~20 states

California AB 1950

Prescriptive/extensive requirements

~10 states

Massachusetts (most prescriptive: authentication, access controls, encryption, monitoring, firewalls, updates, training)

Cybersecurity safe harbor instead of obligations

4 states

Connecticut, Iowa, Ohio, Utah

Key terms - quick answers

What is “AB 1950”?

California's data security law (Civil Code 1798.81.5), the country's first state security law, requiring reasonable security procedures and practices.

What is “Cybersecurity safe harbor law”?

A law (Connecticut, Iowa, Ohio, Utah) letting a company defeat a breach lawsuit if it had appropriate safeguards in place before the breach.