Bill Summary – FastDemocracy

BILL NUMBER: S1139
SPONSOR: GONZALEZ

TITLE OF BILL:
An act to amend the state technology law, in relation to requiring
governmental entities to implement multifactor authentication for local
and remote network access

PURPOSE:
Amends the State Technology Law to require all government entities in
the State to require muttifactor authentication for access to the serv-
ers, email or official applications used by their employees or agents.

SUMMARY OF PROVISIONS:
Section 1 adds new subdivisions 9 and 10 to Section 202 of the State
Technology Law, which sets definitions for the terms "governmental enti-
ty" and "muttifactor authentication."
Section 2 adds new sections 210, 211, and 212 to the state technology
law.
Section 210 adds multifactor authentication requirements and provides
for technical standards and waivers.
Section 211 adds privacy requirements regarding the use of multifactor
authentication using biometric information.
Section 212 adds encryption requirements for all government websites.
Section 3 sets the effective date.

JUSTIFICATION:
Cyberattacks on public entities are occurring with increasing frequency.
In  Microsoft's  2021  cybersecurity  report,  48%  of all cybersecurity
attacks targeted government entities. Since 2017, more than 3,600 local,
state, and tribal governments across the country have been  targeted  by
ransomware  hackers,  which  is  just one type of cyberattack. Lapses in
cybersecurity could require  the  state's  most  essential  services  to
decide between paying expensive ransoms or losing access to systems.
Muttifactor  authentication  (MFA)  can significantly reduce the vulner-
ability of public systems. According to Google, multifactor can  prevent
100% of automated bots, up to 99% of bulk phishing attacks and up to 90%
of  targeted  attacks.  According to Microsoft, an account is 99.9% less
likely to be compromised when using MFA. Therefore requiring the use  of
MFA  at  sensitive  governmental  institutions  is an important step the
state can take to improve its cybersecurity preparedness.
Importantly, MFA is cost effective to implement due to the  connectivity
of  devices and web applications. Requiring governmental agencies to use
this technology is a low-cost  proposition  that  can  greatly  increase
protection against cyberattacks.

LEGISLATIVE HISTORY:
2023-2024:  S6474A:  Amended  and  Recommitted to Finance; A7331B: Third
Reading
2021-2022:  New  bill S2652; referred to Internet and Technology Commit-
tee; referred to Finance

FISCAL IMPLICATIONS:
To be determined.

EFFECTIVE DATE:
This act shall take effect one year after becoming law.
Statutes affected: 
S1139: 202 state technology law