Jami Mills VibbertCyber Defense magazine titled, "State Cybersecurity Regulation: Another Patchwork Approach?" Here is an excerpt from the article:
Until recently, state oversight of cybersecurity has been relatively limited. Indeed, although 48 of 50 states have laws related to data breach notification, those laws govern only a small part of cybersecurity practice—the time following a security incident. Those breach notification laws form a complicated morass requiring notification of a security breach under certain, different circumstances, depending on the type and amount of data involved. That is, the who, what, when, where, why, and how vary from state to state, often requiring an in-depth analysis by a breached company to determine what its notification obligations are while also trying to handle the crisis situation that arises post-breach. The Health Insurance Portability and Accountability Act (HIPAA) has a breach notification provision that applies nationwide, but applies only to protected health information, and does not preempt any state law notification requirements. Attempts at an overarching federal breach notification law have stalled in the past couple of years, and thus companies must continue to spend time and resources following a security incident dealing with analysis under these separate laws.