🌐 Security Isn’t Just Federal Anymore

State governments are increasingly asserting cybersecurity oversight with enforceable mandates. If your organization handles sensitive consumer or citizen data across state lines—or works with public sector clients—you’re likely subject to multiple overlapping frameworks.

This post explores key state-specific cybersecurity regulations, including Texas TAC 202, New York DFS, California’s CCPA/CPRA, Massachusetts 201 CMR 17.00, and more. We’ll break down what they require, who they affect, and how to align them into a unified strategy.

🇺🇸 Texas Administrative Code – TAC 202

Who it affects: All Texas state agencies, public colleges and universities, and contractors that create or maintain state-owned information resources.

Key requirements:

• Appointment of an Information Security Officer (ISO)
• Formal risk-based information security program
• Annual information security awareness training
• Compliance with the DIR Security Control Standards Catalog (based on NIST 800-53)
• Mandatory incident reporting through the Texas Cybersecurity Incident Reporting System (TCIRS)

Enforcement: Non-compliance may lead to funding restrictions, audit findings, and contract ineligibility.

🏙️ New York DFS Cybersecurity Regulation (23 NYCRR 500)

Who it affects: Financial institutions and insurers regulated by the New York Department of Financial Services (DFS), including banks, mortgage brokers, insurance companies, and FinTechs.

Key requirements:

• Risk-based cybersecurity program tailored to business operations
• Appointment of a qualified CISO with board reporting responsibilities
• Annual penetration testing and biannual vulnerability assessments
• MFA for remote and privileged access
• 72-hour breach notification requirement
• Annual certification of compliance filed with the DFS

Enforcement: DFS has issued multimillion-dollar penalties for violations. This regulation is treated as a regulatory requirement—not a suggested framework.

🌉 California CCPA/CPRA – Privacy with a Security Backbone

Who it affects: Businesses that handle personal data of California residents, with revenue over $25 million, or that buy/sell/share data from 100,000+ consumers.

CCPA: Introduced foundational privacy rights for California residents, including the right to know, delete, and opt out of the sale of personal data.

CPRA (effective 2023): Expanded on CCPA with the creation of the California Privacy Protection Agency (CPPA) and a mandate for “reasonable security measures.”

Security-related obligations:

• Implement reasonable administrative, technical, and physical safeguards for personal information
• Conduct regular risk assessments and cybersecurity audits for high-risk processing
• Limit data collection to the minimum necessary
• Provide transparency into third-party data sharing and enforce contractual security requirements

Key takeaway: While not a security standard per se, CPRA’s “reasonable security” clause creates legal exposure in the event of a breach—especially if standard safeguards (e.g., encryption, access control, logging) are missing.

🛡️ Massachusetts 201 CMR 17.00 – A Security Program Mandate

Who it affects: Any entity (including out-of-state companies) that stores, processes, or transmits personal data of Massachusetts residents.

Key requirements:

• Written Information Security Program (WISP)
• Encryption of personal information in transit and on portable devices
• Access controls to limit employee access to sensitive data
• Third-party vendor security verification and contracts
• Regular monitoring and testing of security programs

Why it matters: This regulation is highly prescriptive—especially in comparison to broader NIST-aligned guidance. If you mishandle Massachusetts data and suffer a breach, the Attorney General may seek civil penalties, especially if your WISP or encryption is lacking.

🌐 Other Notable State Mandates

• Illinois: Biometric Information Privacy Act (BIPA) mandates strict safeguards and consent for biometric data (e.g., fingerprints, facial scans).
• Nevada SB 220: Requires consumer opt-out and security measures for data sales and processors.
• Connecticut: Adopts a safe harbor for companies that implement frameworks like NIST or ISO 27001, encouraging voluntary adoption of cybersecurity best practices.

As of 2025, over 20 states have active or pending legislation requiring breach notification, data protection policies, and consumer rights.

🛠️ Strategy: Harmonize, Don’t Fragment

State laws vary, but they often overlap. The best approach is to build your program around a unifying framework (NIST CSF, ISO 27001, or CIS Controls), and then map state-specific clauses as additional layers. Maintain a legal register of obligations by state and update your incident response plan accordingly.

📣 Final Thought

The U.S. may not have a single federal cybersecurity law—but your compliance requirements are stacking up at the state level. Businesses that proactively align to these standards earn a trust advantage—and avoid the costly chaos of reactive compliance.

Need help aligning with Texas TAC 202, NY DFS, CCPA/CPRA, or Massachusetts 201 CMR 17.00? Let’s talk.