NetworkTigers discusses the best and worst US states for personal data privacy.
The United States, China and Russia are regarded as the top three nations when it comes to cybersecurity. All three invest heavily in online infrastructure and use advanced tools to conduct research. China and Russia’s destructive motivations and cyber capabilities are widely publicized, but the US is characteristically silent on its international operations with few mentions of them outside of state-sponsored media outlets in adversarial nations.
The US has recently made efforts to bolster its cyber capabilities in the form of two laws passed recently.
According to the EC Council Cybersecurity Exchange,
“The State and Local Government Cybersecurity Act of 2021 is designed to improve coordination between the Cybersecurity and Infrastructure Security Agency (CISA) and state, local, tribal, and territorial governments.”
“The Federal Rotational Cyber Workforce Program Act of 2021, U.S. government employees in IT, cybersecurity, and related fields will be able to rotate through roles across agencies, enabling them to gain new skills and experience in a variety of job functions.”
These laws signal the Biden administration’s acknowledgement of the importance of strengthening the country’s cyber presence. Does this have an impact on individuals? As companies amass vast amounts of personal information via social media, advertising and websites, what laws are there to protect data belonging to US residents not directly involved in national security?
As with most laws in the US, data protection laws vary on a state-by-state basis. A 2021 report by Comparitech describes which states have taken the initiative to protect the data and privacy of US residents and which are lagging behind.
US states with the best data privacy laws
These states have put laws and regulations in place that acknowledge and protect citizens’ right to privacy and restrict how, where and for how long their data can be used.
California is found at the top of the list repeatedly when it comes to cybersecurity laws at a state level. This is because California’s regulations are highly detailed and cover more issues than other states choose to even acknowledge. Its state constitution is also the only one in the country to explicitly mention a right to privacy.
California’s Electronic Communications Privacy Act protects data from law enforcement, allowing companies to refuse to disclose private customer information without a warrant.
The Consumer Privacy Act of 2018, which became effective in 2020, gave users the right to know what data companies collect from them and how they share it. It even allows customers to demand that companies delete any personal data collected.
Additionally, California has laws in place that protect data gathered from Internet-Of-Things devices and restrict marketing to minors.
Delaware ranks only slightly behind California. The state has passed similar laws, including those that require the deletion of customer data after a certain amount of time and protect the privacy of employees.
A privacy pioneer, Illinois was the first state, in 2008, to enact laws that protect fingerprints, retina scans and other forms of biometric data. More than a decade later, other states are only now beginning to address this data issue.
Illinois also has regulations in place that restrict the use of artificial intelligence and laws that prohibit companies and schools from demanding that people hand over social media account credentials.
US states with the worst data privacy laws
These states do not appear to take privacy protection seriously. They lag behind the rest of the country with regard to data collection lawsl.
In Wyoming, companies can retain customer data indefinitely. They can require their employees to provide login credentials to their social media accounts. The state has no protection for journalists when it comes to exposing their sources.
However, the tide may be turning. In March of 2022, Governor Mark Gordon signed the Wyoming Genetic Data Privacy Act into law. This law gives consumers more control and insight into how companies use their genetic data.
While a small step, this at least shows that Wyoming lawmakers are becoming aware of the importance of giving citizens some control over what information about them is available.
While Idaho does provide a basic website of resources and information for those who have been hacked or want to learn more about cybersecurity, much of this boils down to ways for companies or individuals to protect themselves with no indication of how the state government itself can assist.
With Idaho placing no limits on how long private or government entities can retain personal data, no laws protecting journalists and their sources and nothing stopping companies and schools from demanding social media credentials from employees or students, the state has a long way to go with regard to empowering its citizens.
Mississippi does not have any state laws in place that protect personal data from employers. This means that companies can demand to see their accounts and communications. Companies can also hold onto user data indefinitely and there are no protections at all for student information belonging to children from kindergarten through 12th grade.
The state has enacted laws that require companies to disclose to the government when a breach has occurred and mandatory surveys and compliance requirements are being rolled out. However, according to Mississippi Auditor Shad White in 2019, the majority of the companies who were contacted to be surveyed never responded and, of those that did, more than half did not meet the state’s requirements.
The state did pass the Mississippi Computer Science and Cyber Education Equality Act, which mandates that computer science programs, including cybersecurity, be taught to students K-12.
This law shows that the state sees the importance of computing and cybersecurity knowledge on the surface, but as yet does nothing to protect privacy. In fact, contrary to the bill’s name, much of it comprises amendments that educators must comply with that forbid any mention of abortion and tightly restricting what can be covered in sex education courses.
How to protect your data privacy
While laws regarding data protection and privacy are important, the fact remains that anyone who uses the internet is on the front lines. Self-protection is the best approach.
- Keep private data and information off the internet.
- Use online resources to stay privy to cybersecurity threats and trends.
- Know how to identify phishing attempts.
- Educate your family, employees and coworkers on the importance of cybersecurity.
- Update your systems regularly and refresh old hardware by purchasing refurbished gear from a reputable dealer.