Skip to Content
March 09, 2026 Clear | 60°F
The 194th General Court of the Commonwealth of Massachusetts

Bill S.49 194th (Current)

An Act relative to cybersecurity and artificial intelligence

By Mr. Moore, a petition (accompanied by bill, Senate, No. 49) of Michael O. Moore and James B. Eldridge for legislation to implement annual statewide public employee cybersecurity training. Advanced Information Technology, the Internet and Cybersecurity.

View Text Print Preview Download PDF

Bill Information

Presenter:
Michael O. Moore
Status:
Referred to Senate Committee on Ways and Means
Special Attachments:
Senators committee vote

Emergency Preamble

Whereas, The deferred operation of this act would tend to defeat its purpose, which is to further regulate cybersecurity and artificial intelligence, therefore it is hereby declared to be an emergency law, necessary for the immediate preservation of the public safety.

Cybersecurity and AI

Section 1 (Inserting Section 12 of Chapter 7D) Requires Statewide Public Employee Cybersecurity Training Modeled after the mandatory state ethics training this provision would require that EOTSS, in conjunction with the Comptroller's Office, create and provide an online cybersecurity training program, and such special programs as needed to advance cybersecurity within the Commonwealth. All public employees across all three branches and in local government would be required to complete the annual training, or provide their own training for their employees. Establishing the Cybersecurity Control Board, Codifying the Critical Incident Response Team and Creating Critical Infrastructure Reporting Requirements (Inserting Section 13 of Chapter 7D) Definitions for the Cybersecurity Control Board (new Section 14), Critical Incident Response Team (new Section 15) and Critical Infrastructure Reporting Requirements (new Section 16) Key Definitions include: Covered entities including all government entities within the Commonwealth on the state and local level. In addition, any non-government entity is also a covered entity, so long as they are not a “small business.” Critical Infrastructure are the assets, systems, and networks, either physical or virtual, within the commonwealth that are so vital to the commonwealth or the United States that the incapacitation or destruction of such a system or asset would have a debilitating impact on physical security, economic security, public health or safety or any combination thereof; provided, however, that “critical infrastructure” shall include, but not be limited to, election systems, transportation infrastructure, water, gas and electric utilities, and shall include any critical infrastructure sectors as identified by the federal Cybersecurity and Infrastructure Security Agency. A “Small Business” is any entity that based on its size, scope, type of entity, amount of resources available, and need for confidentiality and security, that the entity does not face a reasonable risk of encountering a cybersecurity incident, as defined. However, a small business cannot include any entity involved with critical infrastructure or a government entity. 1 (Inserting Section 14 of Chapter 7D) Creation of the Cybersecurity Control Board Inserts a new section creating the Cybersecurity Control Board. The Board is tasked with creating and administering a state cybersecurity code. The code consists of a set of minimum cybersecurity requirements and any special requirements that board decides to create. Topics covered by the minimum cybersecurity code include, but are not limited to, authentication, data management, cybersecurity training and incident response plans, auditing and testing requirements, and encryption. The Board is also empowered, only with respect to government-issued devices and systems, to issue Critical Cybersecurity Directives. These directives would be issued by the Board when there is a substantial risk to the cybersecurity of a government device or system, and the Board may require by such a directive that hardware, software or other system or service is prohibited from use or installation on government-issued devices or systems, or may qualify or condition such use. Government entities that receive such a directive are required to implement the directive within the timeframe set by the Board, however a recipient of a directive may request relief from the Board and the Board is empowered to provide such relief within certain limits. Board makeup: • The secretary of the executive office of technology services and security, or their designee, as chair; • The secretary of the executive office of public safety and security, or their designee • The comptroller or a designee; • The adjunct general of the national guard or a designee; • The colonel of the state police or a designee; • The executive director of the Massachusetts Technology Collaborative or a designee; • A representative of Legislative Information Services; • A representative of Judicial Information Services Department; • One member appointed by the Massachusetts CyberTrust • One member appointed by the Massachusetts Municipal Association • 9 members of the public appointed by the Governor who shall have experience related to cybersecurity, with at least 5 years of experience related to cybersecurity in the following fields, respectively: o Finance o Healthcare o Technology services o Utilities o Transportation services o Academia o Operational technologies for manufacturing o Law enforcement or homeland security o Federal experience 1 (Inserting Section 15 of Chapter 7D) Codification of the Critical Incident Response Team Codifies, and further empowers, the Critical Incident Response Team which currently operates under an executive order from the Baker administration. The Response Team is structured as a standing subcommittee of the Cybersecurity Control Board (established under section 14). Membership of the Team (8) includes • (chair) the secretary of the executive office of technology services and security or their designee • a representative of the commonwealth security operations center as designated by the director of security operations; • the secretary of the executive office of public safety and security or their designee; • a representative of the state police cyber crime unit; • a representative of the commonwealth fusion center; • the adjutant general of the Massachusetts National Guard or their designee; • the director of the Massachusetts emergency management agency or their designee; • the comptroller or their designee; • and any other members of the cybersecurity control board as assigned by the chair. The Response team exists to enhance this commonwealth’s ability to prepare for, respond to, mitigate against and recover from significant cybersecurity incidents by reviewing cybersecurity threat information and vulnerabilities. The Response Team is required to develop and maintain an updated cybersecurity incident response plan for the commonwealth and submit such plan annually for review, not later than November 1, to the governor and the joint committee on advanced information technology, the internet and cybersecurity. The response team is tasked with conducting tabletop exercises to test the plan at least twice per year and tabletop testing with select governmental entities at least quarterly. 1 (Inserting Section 16 of Chapter 7D) Critical Infrastructure Reporting Requirements Any entity operating critical infrastructure (as defined in section 13) will be required to report a cybersecurity incident to the commonwealth fusion center. The report must include at least: • a timeline of events, and the type of cybersecurity incident known or suspected; • how the cybersecurity incident was initially detected or discovered; • a list of the specific assets that have been affected or are suspected to be affected; • copies of any electronic communications that are suspected of being malicious, if applicable; • copies of any malware, threat actor tool or malicious links suspected of causing the cybersecurity incident, if applicable; • any digital logs such as firewall, active directory and event logs, if available; • forensic images of random access memory or virtualized random access memory from affected systems, if available; • contact information for the covered entity and any third-party entity engaging in cybersecurity incident response that is involved; and • any other information as required by the commonwealth fusion center or secretary In response to the notice, the fusion center may coordinate with the response team to recommend response measures. In addition, the response team may assist the impacted entity with implementing the response measures and share information with the entity on other entities that are capable of providing mitigation and remediation support. Massachusetts Innovation Fund and State Agency Technology Upgrades Account 1 (Inserting Section 17 of Chapter 7D) Massachusetts Innovation Fund and State Agency Technology Upgrades Account Creates a Massachusetts Innovation Fund to be administered by a board. Public members of the Board serve for six years with the option of one additional term. The Board is made up of: • the comptroller • the secretary of the executive office of technology services and security • the governor • two members of the senate appointed by the president of the senate; • two members of the house appointed by the speaker of the house • one member of the public with relevant subject matter expertise appointed by the governor; • three state employees primarily having technical expertise in information technology development, financial management, cybersecurity and privacy, and acquisition, appointed by the secretary of EOTSS. The board will review and authorize loan applications from state agencies for qualifying information technology modernization projects. The application must include a description of the project. Upon approval, the board creates a state agency upgrades account with money from the fund. The state agency has up to three years to request money from the account, the leftover of which will be transferred to the general revenue fund. The loan must be repaid by the agency within 7 years. Funds provided to an agency will supplement the agency’s operating budget and shall not supplant any funds appropriated to the agency. Agencies may collaborate with other state agencies on their modernization projects. Creation of the Automated Decision-Making Commission 1 (Inserting Section 18 of Chapter 7D) A Commission on Automated Decision-Making is created within the executive office of technology services and security and tasked with studying the use of automated decision systems across government and the private sector. The Commission is tasked with promulgating rules, standards and safeguards, as well as making recommendation to the legislature. Its membership is: • The secretary of technology services and security or the secretary’s designee, who shall serve as chair; • 1 member of the Senate, designated by the Senate President; • 1 member of the House, designated by the Speaker of the House; • The chief justice of the supreme judicial court or a designee; • The secretary of the Executive Office of Public Safety and Security, or a designee; • The secretary of the Executive Office of Health and Human Services, or a designees; • the executive director of the American Civil Liberties Union of Massachusetts or a designee; • 3 representatives appointed by the Governor from academic institutions in the Commonwealth who shall be experts in o artificial intelligence and machine learning, o data science and information policy, o social implications of artificial intelligence and technology; o technology and the law, • the executive director of the Massachusetts Law Reform Institute or a designee; • 1 representative from the National Association of Social Workers; • 1 representative from the NAACP; • 1 representative from the Massachusetts Technology Collaborative; • 1 representative from the Massachusetts High Technology Council. • Six members of the business community appointed by the Governor with experience in o artificial intelligence and machine learning, o data science and information policy, o social implications of artificial intelligence and technology; o technology and the law, It will be tasked to survey all uses, trainings related to, and procedures for the procurement, evaluation, auditing, validation and testing of automated decision making in business entities along with state, county and local government offices. It will produce a list of all automated decision systems in use by governmental units, the policies, in place to govern their use, acquisition or deployment including contract with third parties. In addition, it will research issues related to transparency, explicability, auditability, and accountability, including the decision system’s availability to external review. It will examine how these systems are assessed for biases and the protections that are in place for the due process rights of individuals that are subject to their decisions. It will also rely on technical, legal, policy and academic expertise on data sources, intellectual property, transparency procedures and biases in AI and automated decision-making systems to inform its recommendations. Automated decision making includes algorithms and statistical processes, as well as AI, in arriving at a decision that would otherwise be made by a human. This commission’s mandate is to examine all forms of automated decision making. It is to meet a minimum of 10 times per year (to be broadcast) with an annual report by December 31st to the governor, clerks of the house and senate, and AITIC. This report will include the commission’s activities and community engagement, as well as its findings. The commission is empowered to promulgate rules and regulations to: • Promote racial and economic justice, equity, fairness, accountability, and transparency; • Establish authorized areas, qualifications, conditions, limits or prohibitions on governmental use of an automated decision system; • Allow for a person affected by an action made with the assistance of an automated decision system, to request and receive an explanation of such action and its basis. • Assess the disproportionate or unfair impact of automated decision system on a person or group based on an identified group characteristic, including prior to or during the procurement or acquisition process • Address instances in which a person or group is harmed by a governmental unit automated decision system if any such system is found to disproportionately impact a person or group on the basis of an identified group characteristic; and • Allow the public to assess how each automated decision system functions and its use by governmental units. • Protect that data of individuals used as part of the training data, including obtaining their informed consent before collecting, using, sharing or disclosing their data, as well as the deletion or de-identification of any data collected if it is no longer needed for the intended purpose of the training Civil Defense Act Cybersecurity Attack Clarification 2 Clarifies that the Civil Defense Act (the primary source of emergency authority for the Governor) may be invoked in response to a cyber-attack by expanding the applicable definition to include: cybersecurity attack or threat thereof that affects the commonwealth’s critical infrastructure, information systems owned or operated by the commonwealth, or other infrastructure or cyber systems deemed necessary and at risk by the governor 3 Adds corresponding definitions for critical infrastructure (identical to the one in section 13), cybersecurity attack and cyber system are added to the definitions section of the Civil Defense Act. Data Breach (Chapter 93H) Improvements Sources: S. 30 / H.76 An Act relative to protecting sensitive information from security breaches (Sen. Finegold / Rep. Nguyen) S. 198 An Act protecting personal identifying information (Sen. Moore) 4 Inserts a definition of “Biometric Information” which includes retina, or iris scan, fingerprint, voiceprint, and other types of unique biological or physical patters. 5 Clarifies that a “breach of security” includes any unauthorized acquisition or use of personal information that compromises the security, confidentiality, or integrity of the data. As currently written, Chapter 93H specifies that a “breach” must create a “substantial risk of identity theft or fraud.” This language is not as suitable for breaches of sensitive information like health or geolocation data, which pose significant dangers other than identity theft or fraud. 6 Defines genetic information, health insurance information and medical information. 7 Updates the definition of “personal information” in MA’s data security law to safeguard additional sensitive information, including: Biometric, genetic, geolocation, or health data; Full date of birth; and Usernames or email addresses, along with the password or security question and answer that would grant access to an account. 8 Inserts a definition for “Specific Geolocation Information” as information derived from technology, including GPS, that can identify the location of an individual down to an area equal to or less than 1,850 feet. 9 Requires that the rules and regulations be updated as changes in the definitions of breach of security and personal information take place. 10 Expands the application of the data breach law from just when data breaches create of risk of identify theft or fraud to when the use or acquisition of data would presents a reasonably foreseeable risk of financial, physical, reputational or other cognizable harm to the resident. 11 Expands reporting requirements to include the reporting the type of personal data compromised. 12 Expands data breach reporting requirements to include reporting to the FBI 13 Exempts the credit monitoring services requirement if the data breach is medical information or specific geolocation information. 14 Expands the required notice to impacted residents to require background about the nature of the breach, what kinds of data were exposed, and when login credentials are exposed, a prompt for affected residents to change their password information. Protections Related to Autonomous or Remote-Controlled Weaponized Robots 15 (Inserting Section 122E of Chapter 140) Purpose: Advanced mobile robots have become enormously beneficial to workers in many industries across the Commonwealth, including energy, conservation, construction, manufacturing, and public safety. These technologies keep people safe and help them do their jobs more efficiently. However, as these robots have become increasingly accessible to everyone, there are examples of people mounting dangerous weapons to them, often with the goal of creating a sensational, viral social media video. The misuse of weaponized remote-controlled or autonomous robots is unethical, poses a serious public safety threat, and damages the public’s acceptance of these beneficial technologies in society. This section addresses this problem by ensuring that advanced robotics are used ethically and safely, and fosters public confidence and community support of an important source of innovation in the Commonwealth. Main Provisions: • Prohibits the manufacture, sale, use or operation of a robotic device or drone that is mounted with a weapon. It also prohibits the use of these technologies to threaten or harass anyone. • Leaves unaffected the U.S. Department of Defense, its military contractors, and companies that obtain a waiver from the Attorney General to test anti-weaponization technologies. Military technologies, and their development and manufacturing, are well-managed and not at issue. • Provides an exception for bomb squad officials who are disabling suspected explosives, and welcomes more specific regulation on that topic. These are operations that protect public safety and that are conducted by experienced, trained officials. • Increases public confidence in the use of robotic technologies by law enforcement officials, the section clarifies that warrants are needed when entry onto private property is made by a robot, except in exigent circumstances, and that information about law enforcement use of these technologies shall be available to the public under Massachusetts public records law. Misc. Provisions 16 Directs the state auditor to prioritize auditing cybersecurity risk for agencies performing a critical role in the function of the government. This provision is sunset after 3 years. 17 Repeals Section 16, which prioritizes Cybersecurity audits for critical agencies for 3 years. See Section 20. 18 Staggers the duration of initial appointments to the Cybersecurity Control Board by making initial terms 3 / 4 / 5 years. After the initial term, all subsequent terms will be 5 years. This avoids complete turnover of the Cybersecurity Control Board. 19 Requires appointments to the Cybersecurity Control Board to be made within 45 days of the effective date of the act. 20 Requires the Cybersecurity Control Board to promulgate minimum cybersecurity standards within a year of the effective date of the act, however the Board must hold at least 3 listening sessions in geographically diverse areas prior to adopting such standards. 21 Repeals Section 16 after 3 years. See Section 17. 22 Sets an immediate effective date for the act, except where otherwise specified.
* The bill summary was created by the Primary Sponsor of the bill; no committee of the General Court certifies the accuracy of its contents.

The information contained in this website is for general information purposes only. The General Court provides this information as a public service and while we endeavor to keep the data accurate and current to the best of our ability, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.