Lacking the authority to mandate uniform cybersecurity standards, states are pioneering incentive-based laws based on industry frameworks. Legislators and experts in drafting these laws will discuss how states are filling the gap in federal law with a flexible and practical approach that aligns public policy with technical practices in ways that push towards measurable compliance standards.