Stop making cybersecurity decisions based on shiny objects and peoples’ opinions, and instead base strategic decisions on a published cybersecurity framework. This is the clear message to emanate from three similar laws passed between 2018 and 2021 in the US states of Ohio, Utah and Connecticut. These three states are providing organizations a safe harbor if they select and implement a cybersecurity framework, with the incentive hopefully providing organizations with the impetus to act.
Cybersecurity frameworks are not a new concept. Starting with NIST 800-53 in 2005, industry experts have tried to distil best practices for information security so that organizations would not be left to decide on their own how to best defend their data. Unfortunately, the adoption of cybersecurity frameworks has been haphazard, with industry regulatory bodies consequently attempting to dictate security best practices through regulations. This approach, combined with the often-impenetrable language of the initial frameworks left many in the field to discount the use of frameworks, unless it provided a specific competitive advantage in contractual negotiations, or if they worked in an industry where contractual requirements mandated adherence to a framework.
Lawmakers started taking a different approach in Ohio in 2018 when they passed a legal safe harbor in Senate Bill 220. This was the first law in the US to provide an affirmative defense to companies defending themselves against lawsuits following a data breach, if the organization could demonstrate that their data security policies followed one of several possible frameworks, as stated in the law:
-
The NIST Cybersecurity Framework, NIST’s SP 800-171, SP 800-53, or SP 800-53a, FedRAMP, the CIS Critical Security Controls, or the ISO 27000 family;
-
For regulated entities, the cybersecurity requirements of HIPAA, the Gramm-Leach-Bliley Act, FISMA, or HITECH, as appropriate; or
-
The PCI Data Security Standard (PCI DSS) in conjunction with one of the other standards listed in (1) or (2).
To be clear, the law does not prevent plaintiffs from filing lawsuits; rather, if an organization can show that they “create, maintain and comply with a written cybersecurity program”, then they can probably defeat tort claims that are filed in an Ohio court or based on Ohio law alleging that the breach was due to a company’s failure to comply with reasonable security standards.
In March 2021, Utah took a slightly different approach to create a cybersecurity safe harbor under HB80. They used the same reasonable list of frameworks, with the addition of the HIPAA Security Rule. Under Utah law, the written cybersecurity program must have administrative, technical and physical safeguards to protect personal information. From the law, those measures must:
-
be designed to protect against the security, confidentiality and integrity of personal information, and anticipated threats and hazards, as well as a breach of system security;
-
reasonably conform to an industry-recognized cybersecurity framework such as NIST 800-171 or 800-53, FedRAMP, CIS controls, ISO 27000 and/or PCI DSS, and federal laws including the cybersecurity requirements of HIPAA, the Gramm-Leach-Bliley Act, FISMA and HITECH, as appropriate; and
-
be of “appropriate scale and scope” to the company, the nature of its activities, the sensitivity of the information to be protected, and the tools and resources available to the entity.
Part of the nuance of the Utah law is that it does not just cover tort claims and so can potentially be applied as an affirmative defense against contract claims. However, the safe harbor cannot be claimed if an organization had actual notice of a threat or hazard to the security, confidentiality or integrity of personal information, or if it did not act in a reasonable amount of time to take known corrective efforts to protect the personal information that resulted in a breach. Finally, the scale and scope of the program must be appropriate to the size of the company, although this is common sense.
Connecticut’s new law, which goes into effect on October 1, 2021, similarly provides an affirmative defense exclusively against tort claims where the plaintiff alleges that a breach was the result of a business failing to implement reasonable cybersecurity controls. However, it is more nuanced still than Ohio, particularly in subsection (b):
In any cause of action founded in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable cybersecurity controls resulted in a data breach concerning personal information or restricted information, the Superior Court shall not assess punitive damages against a covered entity if such entity created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework, as described in subsection (c) of this section and that such covered entity designed its cybersecurity program in accordance with the provisions of subsection (d) of this section. The provisions of this subsection shall not apply if such failure to implement reasonable cybersecurity controls was the result of gross negligence or willful or wanton conduct.
By comparison, Ohio allows for an affirmative defense if the company was complying with a recognized cybersecurity standard. The other significant difference in the Ohio law is that there is a requirement that organizations update their security programs to comply with revised frameworks within six months of the publication date of a revision to a framework.
These three laws are also starting to define “reasonable cybersecurity controls”, which has been a topic of some discussion since then California Attorney General Kamala Harris attempted to define reasonable cybersecurity in 2016. Although it has been five years, states are moving slowly to the recognition that reasonable cybersecurity controls already exist. It is a matter of time until other states follow suit and there may be a generally accepted definition of “reasonable cybersecurity controls” after several cases go to the appeals circuit.
Organizations that are not currently following a cybersecurity control framework can readily determine which framework is most appropriate by answering these three questions:
-
Does the organization do business specifically with the Department of Defense? Use the CMMC.
-
Does the organization do business often with a Federal or State agency? Use a NIST control framework, such as the NIST-CSF or NIST-800-171 to start.
-
Is the organization in a heavily regulated industry where there are defined cybersecurity controls in the regulatory framework? Use that framework.
-
Otherwise, organizations should consider implementation groups one and two from the Center for Internet Security Critical Security Controls.
Once an organization has selected an appropriate framework, they should ensure that the specific framework is documented in appropriate policy documents that align to the topics in the cybersecurity framework and seek to approve those revisions quickly. Courts are unlikely to be friendly to draft cybersecurity policies at organizations that have suffered a breach, much as external auditors will similarly treat unapproved cybersecurity policy documents poorly. The affirmative defenses combined with making strategic decisions based on published facts is a compelling reason for organizations to select and plan to adopt a framework before the start of the next budgetary year.