As federal policy lags, state legislative pipeline is more important for CIOs

Midterm elections are around the corner, ushering in a partisan and contentious battle for Congress. A few gubernatorial races have captured national attention, but for the most part the discourse has centered around the national stage.

For CIOs and other technology leaders, paying attention to state leadership and policy is more important than ever. With a lack of clear federal policy on many digital and data privacy issues, states have taken up the mantle.

Across the country it can be a full-time job to know the ins and outs of every proposed bill. An easier task would require CIOs, especially those who report to the CEO, to be very familiar with pending legislation that would materially change existing laws and how businesses operate.

Security breach notification laws have been around for years and are pretty consistent between states. If another state adds a new law, it's not going to cause an upheaval for businesses, according to Scott Pink, special counsel at O'Melveny & Myers LLP, in an interview with CIO Dive.

But a new law affecting data restrictions or what type of consent or notification is required will cause more material changes for businesses. And if one state passes a new law relating to something like data transfers to a third party, it could ripple impacts across states.

With a strong track record of pioneering technology legislation, California is a good place to gauge where state policy is headed.

All eyes on California

When it comes to technology, California has filled the vacuum of federal policy, from the California Consumer Privacy Act (CCPA) and net neutrality regulation to a law for internet of things security.

Other states have taken similar measures. A Colorado law went into effect in September with stricter breach notification, security procedure and data processing requirements. The law also is the first among states to enact a GDPR-like requirement that businesses ensure third-party data processing is secure and protected, according to Pink.

Several factors have come together to incentivize state legislators to strengthen privacy, data and breach protections, according to Pink, including:

The May enactment of GDPR
Seeming increase in security incidents, especially high-profile ones like Equifax
Reports of data being used in ways without consumer consent or knowledge

Concerns prevail that state laws might negatively impact digital commerce; big tech criticized the CCPA as not being fully thought out. But at the same time, states don't want to be left behind, especially as federal legislation looks so far away on the horizon.

The first states to enact a forceful or unique policy can have effects around the country, especially the home state of Silicon Valley.

California became the first state with a data breach notification law in 2002, and many states around the country followed its example. Successive laws had variations, but California's served as a baseline.

California's Online Privacy Protection Act, enacted 2004 and updated 2013, was also the first of its kind to require businesses to post privacy policies. Now many states have this law; some, like Nevada and Delaware, essentially copied California's model, according to Pink.

A similar phenomenon could take place with the California privacy law, though successive iterations may not be as "cookie cutter" of California's, Pink said. The privacy law has incurred many critiques that it was rushed and will hurt businesses.

Massachusetts, New York, New Jersey and Illinois are some of the bigger states to watch with pending privacy legislation, according to Pink. These laws might not be passed until the end of the year or even 2019, but gauging the temperature of policy early never hurt.

What's in the pipeline

Across the states there were 92 pending laws relating to cybersecurity, 29 relating to privacy practices of internet service providers, 78 for security breach legislation and 31 relating to net neutrality, according to the National Conference of State Legislatures database.

Some digital laws are less politically contentious: Most politicians would agree that disclosing a data breach is in the best interest of the public. But political affiliation and party can come into play in areas where pro-business and pro-consumer interests clash, such as consent requirements or remedies for failure to comply, said Pink.

Net neutrality is perhaps the hottest partisan tech issue. Virtually every proposed net neutrality legislation at the state level has been put forth by Democrats, who generally opposed the walk back of Obama-era protections last winter.

With governors having final approval power, the state executive office can be a first indicator of a bill's success.

Gubernatorial elections are underway in 36 states. Democrats are expected to switch Illinois, Michigan and New Mexico from Republican control, while Alaska is leaning toward a Republican pick up, according to Larry Sabato's Crystal Ball and the Cook Political Report.

Illinois has the most pending legislation of the states expected to flip, with 12 cybersecurity, eight security breach and two ISP and privacy laws pending. Michigan has nine pending cybersecurity and five pending breach laws.

The Crystal Ball has nine states listed as toss-ups: Florida, Iowa, Kansas, Maine, Nevada, Ohio, Oregon, South Dakota and Wisconsin. The Cook Report also pegs Georgia, Oklahoma and Connecticut as toss-ups.

Of states with toss ups in the executive office, only Ohio has pending technology legislation with two cybersecurity bills.