With legislatures back in session, cybersecurity is again front and center—and states are moving to tighten expectations for the private sector. Early bills point to two clear strategies: expanding regulatory oversight of critical infrastructure and offering liability protections to push companies toward voluntary compliance with national standards.
Some states are taking a more assertive regulatory approach. New Hampshire’s HB 1728 would establish a formal “standard of care” for operators of technology systems serving large populations, effectively setting baseline cybersecurity requirements for essential services. New Jersey is advancing similar proposals, including AB 3283, which would require companies in sectors like finance, health care, and critical infrastructure to submit cybersecurity plans for state audit, and SB 2940, which would create a centralized Office of Cybersecurity Infrastructure. Together, these measures signal a shift toward direct state oversight of cybersecurity practices in high-risk sectors.
At the same time, other states are leaning on incentives rather than mandates. Mississippi’s HB 1220 and Florida’s SB 692 would grant liability protections to organizations that align with nationally recognized frameworks like the National Institute of Standards and Technology (NIST). Florida’s bill goes further, requiring local governments to follow uniform state standards and barring them from layering on additional vendor requirements—an effort to prevent a patchwork of local rules. The message is clear: states increasingly see liability protections as a powerful tool to accelerate adoption of baseline cybersecurity standards without imposing across-the-board mandates.
Stateside’s Technology Practice is actively tracking these developments across all 50 states and key localities, providing clients with real-time intelligence, risk analysis, and tailored engagement strategies to help shape emerging cybersecurity requirements and protect their business interests.
