Several U.S. States have recently introduced breach litigation “safe harbor” as an incentive for organizations to take proactive steps to protect data by aligning to a recognized cybersecurity framework. To be eligible for this protection from data breach litigation, the organization must “create, maintain and reasonably comply” with the framework.
Which frameworks are recognized? NIST CSF, NIST 800-171 and NIST 800-53, FedRAMP, CIS Controls, ISO 27000, PCI DSS, HIPAA, GLBA, FISMA and HITECH can all be used in this defense. The good news here is that you won’t have to add more compliance burden if you already fall under sector requirements for protecting health, credit card or government data, you simply need to meet the current requirements.
What needs to be maintained? In order to invoke safe harbor, the entity must be in compliance at the time of the breach, including administrative, technical and physical requirements of the chosen framework. Compliance is not just about an audit, it’s ongoing cyber testing, monitoring, and updating policies and procedures as the network and technologies change. Annual assessment against the current requirements can uncover any changes that may have been missed.
What does “reasonably comply mean? This is defined as “to be of appropriate scale and scope to the business, the nature of its activities, the sensitivity of the information to be protected, and the tools and resources available to the entity.”
Are there any exceptions? Yes! If the entity had notice of a threat or hazard and did not act in a “reasonable” time to remedy the issue, which resulted in the breach, safe harbor can not be used as a defense.
How do I select a framework for my organization or to protect my clients as a Managed Services Provider? Confirm the type(s) of information that you have to protect, and use the appropriate framework(s). If no framework applies, we generally recommend starting with the NIST CSF as one of the simpler to meet, yet still comprehensive. From there, CIS controls or ISO can be mapped to further mature the NIST CSF requirements for technical controls or policies and procedures.