The report, released this week by Zeichner Risk Analytics, showed that 36 states have failed to adopt or implement the cybersecurity standards required by Congress. The study examined laws in 50 states and the District of Columbia, comparing them with federal mandates.
"The states have generally not fulfilled their end of the bargain with the federal government to adopt cybersecurity laws governing financial institutions," the study said.
In particular, the report said that nearly half of all states are not discussing plans that would require insurance companies to secure their data. Lee Zeichner, president of Zeichner Risk Analytics, said states have focused their attention on security issues other than those related to databases in the wake of the terrorist attacks. "Post 9-11, a number of states had other priorities, so it fell off their radar screens," he said.
Zeichner said one of the most surprising findings was that even states with a large presence of insurance companies hadn't adopted laws to deal with the issue.
But the study's results don't mean that consumer data held by insurance companies isn't secure. Zeichner said insurance companies seem to be securing data on their own, even if states aren't creating or enforcing requirements that they do it. "I do believe that most companies, because of market pressures, are making sure customer information stays safe," he said.
Data leaks can be public relations nightmares for a company, especially when that company is trusted with confidential information such as credit card numbers.
The study comes as the federal government is stepping up its cybersecurity initiatives. Earlier this month, Congressdevoted to cybersecurity, a subcommittee of the House Homeland Security Committee.