States enact safe harbor laws against cyberattacks, but demand adoption of cybersecurity frameworks

While sophisticated ransomware and nation-state threat actors target US critical infrastructure, the only protection most organizations have against these attacks is tight and effective cybersecurity. These attacks have drawn government attention and sparked calls for liability protection against malicious intrusions. If organizations want this protection, however, lawmakers say they need to step up their game to implement better cybersecurity practices.

During a Senate Intelligence Committee hearing last month, Chairman Mark Warner (D-VA) said, “While I am very open to some level of liability protection, I’m not interested in a liability protection that excuses the kind of sloppy behavior, for example, that took place in Equifax, where they didn’t even do the basic cyber hygiene.”

“Cyber hygiene” is not enough, as former National Security Council (NSC) cybersecurity director Robert Knake recently wrote. “Basic cybersecurity hygiene, such as strong passwords, multifactor authentication, vulnerability patching, and next-generation antivirus software, is not sufficient against these groups,” Knake wrote. “Instead, organizations should invest in security and operational vigilance, as these actors will take advantage of any mistake that defenders make.”

Against the backdrop of this heightened federal-level focus, a number of states have quietly moved forward with their own liability exemption measures that seek to boost best cybersecurity practices. These states have enacted laws that incentivize the adoption of robust and thorough industry-leading cybersecurity frameworks and recommendations such as the National Institute of Standards and Technology’s [NIST] Cybersecurity Framework or the Center for Internet Security’s (CIS) Critical Security Controls by making them requirements for obtaining liability protections.

Kamala Harris got the safe harbor ball rolling

Vice President Kamala Harris kicked off this trend in February 2016 when she was California’s attorney general. In the state’s data breach report issued under her signature, the first recommendation was:

The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.

By defining what constitutes “reasonable security” as adopting a recognized set of industry security controls, California paved the way for other states to likewise adopt similar definitions of reasonable security.

In 2017, Nevada revised a statute related to personal information records security that requires the state data collectors to implement and maintain “reasonable security measures” to protect such records.  In 2019, Nevada clarified the definition of what constitutes reasonable security by passing a bill, which became effective on January 1, 2021, requiring the state data collectors to comply with or follow the CIS Critical Security Controls or the NIST Cybersecurity Framework. Nevada plans to augment that legislation with a new bill that gives organizations that implement the programs spelled out by CIS, NIST and other organizations a safe harbor to provides them with an affirmative litigation defense in breach lawsuits.

It was Ohio that in 2018 became the first state in the country to enact a safe harbor for organizations hit by a data breach. Ohio’s safe harbor minimizes damages under lawsuits related to data breaches if the organizations follow the NIST Framework or other NIST guidance, CIS controls or other measures such as the FedRAMP’s security assessment framework, or ISO 27000 guidance. In early March 2021, Utah became the second state to adopt a cybersecurity safe harbor statute that similarly references these written frameworks and standards, along with the HIPAA Security Rule.

Connecticut tees up its own safe harbor law

Now the Connecticut General Assembly has agreed to hear a bill, H.B. No. 6607, “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses”, which in essence mandates the same thing. The bill establishes a legal safe harbor for organizations that voluntarily adopt recognized cybersecurity best practices, such as the NIST Framework or CIS controls, and implement a written security program.

“The trend line seems to be that more and more states are adopting this concept of incentivized voluntary adoption as well as the creation of a safe harbor,” Curtis Dukes, CIS executive vice president and general manager, security best practices, tells CSO. “They all have the same two or three standards that they’re pointing to.”

What these laws are trying to do is say to “business leaders in my state, ‘Here’s what we believe are a good set of standards. If you actually implement those and prove that you’ve implemented those prior to a breach, then we’re going to create a safe harbor within our state should there be a court case filed against you for that breach,”’ Dukes says.

Democratic State Representative Caroline Simmons, who introduced the Connecticut safe harbor legislation, tells CSO that “cyber threats pose serious risks to Connecticut’s s infrastructure, utilities, businesses, hospitals, schools and consumers. There were over 400 reports of security breaches in Connecticut in 2018, compromising the personal information of over 500,000 Connecticut residents.” The rise in cyber threat’s facing Connecticut residents is what prompted Simmons to sponsor the bill.

“By creating a safe harbor for all organizations in Connecticut that adopt a written cyber plan based on a recognized best practice, like the NIST Cybersecurity Framework or the CIS Critical Security Controls, we will bolster data security for businesses and consumers, as these frameworks have been shown to reduce cyberattacks by 83%,” she says.

While incentivizing companies to adopt better cybersecurity practices, these safe harbor laws still allow consumer data breach lawsuits to move forward. “At least the consumer knows and understands that that businesses are aligning to known standards and they are implementing those actually to protect the consumers’ personally identifiable information,” Dukes says. “The consumer still has a right to go to court, but it’s going to create a higher bar.”

Other states likely to introduce their own safe harbor bills

Giving that tying reasonable cybersecurity practices to adoption of the recognized frameworks is voluntary, it seems likely that other states will pick up the baton, particularly given that there are no comparable definitions of reasonable cybersecurity at the federal level. “It just seems like this is good, practical, common sense, and that every state should be moving to adopt this,” CIS’s Dukes says.

“I do hope that other states adopt similar measures in order to strengthen our cybersecurity nationwide,” Simmons says. “Particularly with the pandemic shifting so much work online, this is an opportune time to advance this legislation which is a low cost, effective way to protect businesses and consumers from cyberattacks.”