While the General Data Protection Regulation (GDPR) significantly expanded the powers of European national data protection authorities in 2018, legislative and enforcement developments in the United States over the last year showcased the growing role and importance of state attorneys general and other state regulators in the realm of cybersecurity and data privacy.
In 2018, California passed a data privacy law akin to the GDPR and enacted legislation addressing internet-based bot activity and security of devices connected to the Internet of Things. With passage of legislation in Alabama in March 2018, all 50 states now have data breach notification laws, with requirements as to notification content, timing, and recipients varying across jurisdictions. And prescriptive cybersecurity regulations promulgated by New York State’s Department of Financial Services continued to take effect in rolling fashion. Absent preemptive legislation at the federal level, where proposals are stalled in Congress, we can expect data protection and privacy laws and regulations to proliferate at the state level, as state legislatures and regulators vie for the mantle of lead cybersecurity enforcer. Continue reading