State and local government policies often require organizations to implement “reasonable cybersecurity” but do not specify what that means specifically. This ambiguity can lead to inadequately protected systems and expose organizations to lawsuits over liability for data breaches.
A new guide from the Center for Internet Security provides a framework that organizations can use to meet reasonable cybersecurity standards that deliver the twin benefits of improved security and reduced litigation.
Released in May A guide to defining rational cybersecurity It is the result of collaboration between technologists and legal experts at the Center. There are several goals. One is to define what constitutes reasonable cybersecurity. Since there is no federal law defining this, each state writes its own laws.
The Guide defines reasonable cybersecurity as “measures designed to protect against the loss, misuse, unauthorized access, or alteration of information or data and based on a reasonable standard of care that would be taken by a reasonably prudent person in the same or similar circumstances.” Factors to consider include the size and complexity of the organization, the nature and scope of its activities, the sensitivity of the information to be protected, and the cost and availability of tools to improve information security.
This guide focuses on the efforts of six states that are leading the way in enacting Safe Harbor laws, which provide that public and private entities cannot be held liable for data breaches if they can demonstrate that they have implemented standard safeguards.
“What the state did was, ‘If you just implement one of several frameworks, [we’ve] “If it’s specified in the law, we give you a safe harbor,” said Curtis Dukes, co-author of the report. “That doesn’t mean you can’t be dragged to court. If you can prove that you’ve chosen a framework, then you can actually implement that framework and [have] Proof relics [it] … The courts will take that into account and say, ‘You have met the standard of reasonableness and the liability concerns against you are absolved.’”
Ohio was the first state to enact a safe harbor law in 2018. Utah and Connecticut quickly followed suit. Florida, Iowa and Nevada now also have safe harbor provisions. Dukes said they are all very similar in scope, with the exception of Connecticut, which has a “Legislation to encourage adoption of cybersecurity standards for businesses” places a cap on claims for damages.
Another goal of the guide is to reduce litigation. Currently, lawsuits over data breaches require proof of negligence. “Typically, this means that a plaintiff hires a cybersecurity expert who testifies that what the company provided was not reasonable (i.e., it lacked important security features or practices), and then the company hires a cybersecurity expert who testifies that what the company provided was reasonable,” the report states.
Reasonable cybersecurity standards applied at the national level would eliminate the opinion element, provide incentives for organizations to strengthen security, and increase consumer confidence.
As an aside, meeting the standards could help organizations obtain cybersecurity insurance. “Insurance underwriters are moving toward forcing cybersecurity improvements by only offering insurance if you meet minimum standards of cyber hygiene, and offering discounts if you can demonstrate that you have actually adopted those controls and procedures,” says Dukes, who is also executive vice president and general manager of security best practices at the Center for Internet Security. “I think the insurance industry is also already moving toward establishing a guide, a set of best practices. In my opinion, it’s not a separate set of best practices, but simply adopting one or more best practices that trace back to an existing cybersecurity framework.”
That way, if a breach does occur, your insurance company can be sure the appropriate steps were taken and will pay the claim.
Similarly, standardization could also help with ransomware payment decisions: “If you apply this to safe harbor laws, then if you actually implement the framework and you experience a ransomware event, you should have legal protection from litigation,” Dukes said.
All 50 states have security breach notification laws that require organizations to notify consumers or citizens if their personal information has been compromised. The Safe Harbor standard goes a step further by making data security requirements part of broader consumer data privacy laws.
Dukes believes we’ll see federal legislation on reasonable cyber standards within the next three to five years, and he said he sees evidence of that in efforts like the National Cybersecurity Strategy and the Center for Internet Security’s own Critical Security Controls, a collection of best practices for strengthening protections.
The government is “starting to shift the burden of responsibility off of consumers and put it squarely on the vendors,” he said. “Everything is moving from a liability standpoint…. Cybersecurity frameworks need to be adopted and implemented, and best practices need to be followed to be secure by design and secure by default.”