We’ve reached the end of the third week of the legislative session, so we are taking the SEO-friendly opportunity to talk about three bills on cybersecurity we are keeping an eye on.
HB2146 – Data Security Breach; Notification
This is only bill that has been heard in front of a committee so far. Sponsored by Representative Shawna Bolick, HB2146 seeks to include the Director of the Arizona Department of Homeland Security (ADOHS) to the list of individuals who must receive a notification if there is a breach of data security. Under current state law, if a breach affecting more than 1,000 people occurs, the individual who conducts business in the state and owns the data must notify only the Attorney General and the three largest consumer reporting agencies. Given the State’s efforts in improve its cybersecurity position through the ACTIC and the building of the Cyber Command Center, adding the Director of the ADOHS is a natural addition.
Representative Bolick (R – LD20) testified in House Commerce committee. The biggest question was whether the ADOHS was receiving these notifications already, to which she responded they were, but not by mandate. The goal of this bill is to statutorily ensure the ADOHS is kept in the loop.
HB2145 – Governmental Entities; Ransomware Payment; Prohibition
The second cybersecurity bill is also sponsored by Representative Bolick. HB2145 requires the state or a political subdivision of the state to immediately report a ransomware attack. It also provides that the state or political subdivision “may not make a payment to remove or decrypt ransomware from the system files.” This bill does not apply to private sector entities.
In short, while this is not an outright ban like we’ve seen in other states, the legislation hopes to discourage government agencies from making ransom payments. Currently, HB2145 has been assigned to both the House Committee on Rules and the House Committee on Government & Elections.
HB2584 – Cybersecurity Software Bids
Finally, HB2584 would require the ADOHS to purchase a statewide enterprise license for security software to help pinpoint security vulnerabilities in the software development process. In particular, the software must use at least two of the following to scan software code: static analysis security testing, dynamic testing, penetration testing of software composition analysis. This bill is sponsored by Representative Jeff Weninger (R – LD17) and has been assigned to both the House Committee on Appropriations and the House Committee on Rules.
Rarely do we see a bill that mandates a state agency to buy a software solution. However, it is a great way to force a conversation at the legislature. Reminding elected officials that cybersecurity is neither a one-time spend or a one-item solution is an important way to ensure we all work together to secure the Grand Canyon State.
TL;DR
There are currently three bills in front of the State Legislature on cybersecurity. All three are fairly simple: require anyone who experiences a data breach to report to the ADOHS, discourage government agencies from paying ransom in a cyberattack, and require the ADOHS to procure an enterprise license for cybersecurity software. All three show how Arizona is advancing its cybersecurity preparedness and ramping up for potential cyberthreats.
