Landmark Cybersecurity and AI Bill Approved by Legislative Committee

(BOSTON 12/22/2023) — Today, Joint Committee on Advanced Information Technology, the Internet, and Cybersecurity chairs Senator Michael Moore and Representative Tricia Farley-Bouvier announced that a wide-ranging bill centered around cybersecurity and artificial intelligence has been reported favorably out of Committee by a unanimous vote of its members. The bill, which bolsters Massachusetts cybersecurity capabilities and brings reasonable regulation to the rapidly accelerating artificial intelligence industry, will help the Commonwealth to better prepare for the uncertainties of the future and make our digital systems more resilient to bad actors.

“It is hard to grasp how much of our lives revolve around digital systems these days. Critical banking information, sensitive healthcare reports, detailed tax and income data, and so much more are all stored on servers that may be vulnerable to breaches if the proper precautions are not taken,” said Senator Michael Moore (D-Millbury). “This legislation would mark a paradigm shift in cybersecurity and AI policy in the Commonwealth, showing the United States and the world that Massachusetts can and will lead on protecting our data, our systems, and, most importantly, our people from the threats of tomorrow. I’d like to thank my co-chair Representative Tricia Farley-Bouvier, the hardworking members of the Committee, and the legislators focused on these vital issues for their collaboration on this bill.”

“I am grateful to my senate co-chair for his leadership on the critical issue of cybersecurity. Cybersecurity threats put our residents at risk daily, but this legislation provides state and local government and small businesses the infrastructure to mitigate, respond to, and recover from these threats and incidents” said House Chair Tricia Farley-Bouvier (D-Pittsfield).

“I’m grateful to Senator Moore and the entire joint committee on Advanced Information Technology, the Internet and Cybersecurity for their diligence in addressing the pressing issues of cybersecurity and artificial intelligence,” said Senate President Karen Spilka (D-Ashland). “On behalf of the Senate, I look forward to reviewing this bill further.”

"Massachusetts must continue to evolve with the ever-changing cybersecurity landscape. I commend Chairs Moore and Farley-Bouvier for their legislation to establish guidelines for cyber incident reporting, equip workers with tools and training, and create guardrails for AI. With cybersecurity incidents on the rise, especially for more vulnerable groups like our seniors, I am proud to support this timely legislation." stated Senator Barry R. Finegold (D-Andover).

The legislation includes a comprehensive set of policies designed to bring our cybersecurity and AI preparedness up to the latest standards and to keep the Commonwealth up to date as technology continues to rapidly advance. The provisions include:

Mandatory Statewide Public Employee Cybersecurity Training

This bill directs the Executive Office of Technology Services and Security, in conjunction with the Comptroller’s office, to create and provide an online cybersecurity training program to all public employees, including statewide officials and staff, public authorities, and local government. It will be modeled after the Commonwealth’s existing mandatory state ethics training program.

Creates a Cybersecurity Control Board

The legislation creates a new board tasked with creating and administering a state cybersecurity code. The code consists of a set of minimum cybersecurity requirements and any special requirements that the board deems appropriate to create. Topics covered by the minimum cybersecurity code include:

  • Authentication

  • Data management

  • Cybersecurity training and incident response plans

  • Auditing and testing requirements

  • Threat mitigation and vulnerability patching

  • Encryption

Made up of high-level government officials, cybersecurity experts, experienced professionals, and others, the board is directed to consider size of entities, their available resources, type of entity, and the need for security of the data they handle in creating the standards. The board may also issue Critical Cybersecurity Directives, adding certain requirements or limitations to government devices and non-government devices that connect with a government system.

Codifies the Critical Incident Response Team

Currently operating under an executive order from the Baker administration, the Critical Incident Response Team is codified into law by this bill. The Response Team, made up of government officials and cybersecurity experts, develops and maintains a cybersecurity incident response plan that lays out protocols for when cybersecurity breaches and ransomware attacks hit government systems. This bill would require the Response Team to submit their plans for review by the Governor and the Joint Committee on Advanced Information Technology, Cybersecurity, and the Internet annually.

Establishes Critical Infrastructure Reporting Requirements

This bill requires any entity operating a system defined as critical infrastructure to report cybersecurity incidents to the Commonwealth Fusion Center. The report must include:

  • A timeline of events, and the type of cybersecurity incident known or suspected

  • How the cybersecurity incident was initially detected or discovered

  • A list of the specific assets that have been affected or are suspected to be affected

  • Copies of any electronic communications that are suspected of being malicious, if applicable

  • Copies of any malware, threat actor tool or malicious links suspected of causing the cybersecurity incident, if applicable

  • Any digital logs such as firewall, active directory and event logs, if available

  • Forensic images of random access memory or virtualized random access memory from affected systems, if available

  • Contact information for the covered entity and any third-party entity engaging in cybersecurity incident response that is involved

  • Any other information as required by the secretary

Reports will be exempt from Massachusetts public records law due to the sensitive nature of the information within them.

Creates a Commission on Automated Decision-Making

The legislation institutes a board within the Executive Office of Technology Services and Security to study the use of automated decision systems in government and the private sector. This includes researching issues related to transparency, auditability, and accountability, as well as examining how these systems are assessed for biases and protections. It will then recommend rules, standards, and safeguards to the Legislature. The board will meet in a series of publicly broadcast meetings and issue an annual report to the Governor and the Legislature.

Establishes the Massachusetts Innovation Fund and State Agency Technology Upgrades Account

To fund information technology modernization projects in government agencies, this bill creates the Massachusetts Innovation Fund, to be administered by a board made up of government officials. The fund will issue loans for qualifying projects, to be repaid within 7 years.

Updates the Civil Defense Act

The legislation would clarify that the Civil Defense Act, the primary source of emergency authority for the Governor, may be invoked in response to a cyber-attack. It also updates the definitions of critical infrastructure, cybersecurity attack, and cyber system.

Expands Protections of Existing Data Breach Laws

This bill would update existing data breach laws (chapter 93H) to include protections for consumer information, including:

  • Biometric information

  • Genetic information

  • Geolocation

  • Health data

  • Date of birth

  • Usernames and passwords

  • Email addresses

It also strengthens notification requirements for individuals whose personal information has been compromised by a cyberattack.

Prohibits the Weaponization of Robots

The bill would prohibit the manufacture, sale, use, or operation of a robotic device or drone that is mounted with a weapon. It also prohibits the use of these technologies to threaten or harass an individual. The provision allows the US Department of Defense, its military contractors, and companies who obtain a waiver from the Attorney General to test anti-weaponization technologies. It also clarifies that warrants are needed for law enforcement to use robots to enter private property, and that all law enforcement use of these technologies must be available under Massachusetts public records law.

Blocks Cybersecurity Insurers from Instituting Limits on Government Notification

This provision requires that cybersecurity insurers cannot place limits on the ability of the insured to notify the government of a cybersecurity incident or data breach.

Promotes Cybersecurity Regional Alliances and Multistakeholder Partnerships

The bill establishes a fund to promote alliances and partnerships between public higher education institutions by:

  • Stimulating cybersecurity education and workforce development by bringing together stakeholders in the cybersecurity ecosystem

  • Aligning the cybersecurity workforce needs of employers with the education and training provided by institutions of higher education

  • Increasing the pipeline of students pursuing cybersecurity careers

  • Developing the cybersecurity workforce to meet industry needs within local or regional economies

 

The Joint Committee on Advanced Information Technology, the Internet, and Cybersecurity’s action comes in the wake of several high-profile cybersecurity news stories, including the recent Xfinity security breach that exposed the personal information of 36 million customers, reports that an Iran-linked cybercriminal group has been targeting municipal water treatment systems and factories, Rite Aid’s misuse of AI facial recognition to falsely tag shoppers as shoplifters, and attacks on healthcare systems in New Jersey, to name a few examples. These incidents show the urgency of action to bolster Massachusetts’ digital systems against cyber criminals, both public and private infrastructure. The policy put forward within this bill will harden the Commonwealth against attacks, minimize disruptions when breaches do occur, and make our systems more resilient during recovery.

Having been approved by the Joint Committee on Advanced Information Technology, the Internet, and Cybersecurity, the bill now will move forward to the Senate Committee on Ways and Means for further review.

###