Several U.S. States have recently introduced breach litigation “safe harbor” as an incentive for organizations to take proactive steps to protect data by aligning to a recognized cybersecurity framework. To date, only Utah and Connecticut have done so; but many other states are considering such legislation, so it’s best to be prepared.
Presently (and again, right now, it’s only in Utah and Connecticut), to be eligible for “safe harbor” protection from data breach litigation, the organization must “create, maintain and reasonably comply” with recognized cybersecurity frameworks.
When this sort of “safe harbor” protection will become law in your state is anyone’s guess; however, the provisions offer a responsible path to developing and deploying a meaningful cybersecurity program today.
Here are a few details:
Which frameworks are recognized? NIST CSF, NIST 800-171 and NIST 800-53, FedRAMP, CIS Controls, ISO 27000, PCI DSS, HIPAA, GLBA, FISMA and HITECH can all be used in this defense. The good news here is that you won’t have to add more compliance burden if you already fall under sector requirements for protecting health, credit card or government data, you simply need to meet the current requirements.
What needs to be maintained? In order to invoke safe harbor, the entity must be in compliance at the time of the breach, including administrative, technical and physical requirements of the chosen framework. Compliance is not just about an audit, it’s ongoing cyber testing, monitoring, and updating policies and procedures as the network and technologies change. Annual assessment against the current requirements can uncover any changes that may have been missed.
What does “reasonably comply” mean? This is defined as “to be of appropriate scale and scope to the business, the nature of its activities, the sensitivity of the information to be protected, and the tools and resources available to the entity.”
Are there any exceptions? Yes! If the entity had notice of a threat or hazard and did not act in a “reasonable” time to remedy the issue, which resulted in the breach, safe harbor cannot be used as a defense.
How do I select a framework for my organization or to protect my clients as a Managed Services Provider? Confirm the type(s) of information that you have to protect, and use the appropriate framework(s). If no framework applies, we generally recommend starting with the NIST CSF as one of the simpler to meet, yet still comprehensive. From there, CIS controls or ISO can be mapped to further mature the NIST CSF requirements for technical controls or policies and procedures.
Remember: You’re not alone. Stratix Systems can help