A Practice Note providing an overview of state laws, including the District of Columbia, that require those collecting, using, or managing personal information to take proactive data security measures. This Note addresses laws that call for reasonable data security measures, those that include more specific information security requirements, such as developing, implementing, and maintaining a written information security program (WISP), those that impose specific requirements on connected devices and the internet of things (IoT), those that provide incentives for organizations that comply with a reasonable, written information security program, and those included in state comprehensive consumer data privacy laws.