In 2013 -2014, the National Institute of Standards and Technology (NIST) adapted the widely used government standards of NIST 800-53 for the private sector by creating and publishing the Cyber Security Framework (CSF). The CSF provided a method for private companies to complete an assessment and adopt relevant portions of the NIST standards for their own use. Soon after, the Federal Financial Institutions Examinations Council (FFIEC) created the Cybersecurity Assessment Tool map NIST and CSF standard for banks. This framework helped banks implement cybersecurity to protect their assets and information.
Until recently, the adoption of NIST, or other recognized standards, was a good defensive legal posture. But now, the adoption of such standards can be a proactive step in establishing a legal safe harbor from lawsuits. By promoting these new laws as a legal safe harbor, the laws become incentives to adopt recognized cybersecurity standards.
Cyber attacks have become commonplace across all business lines including financial, health care, insurance, retail industry and general businesses. In 2020, the number of cyber attacks increased again due to COVID and the vulnerability of remote workers. For the banking industry, the threats and the costs of recovery are higher than all but health care. On average, banks face 85 serious attempts a year to penetrate their network, and approximately 36% of these attempts result in some data being stolen.1 Banks also have the second-highest cost per record (second to health care) to recover from a breach.2
Cyber attack victims not only endured the expense of recovery from a cyber breach, but they have also endured attacks from zealous plaintiff’s attorneys. As if banks are not paying enough money for cybersecurity, monitoring and recovery costs, the costs are even greater if they are forced to defend themselves in an ensuing class-action lawsuit.
But there is a new trend among legislators to protect businesses from cybersecurity lawsuits. Several newly enacted laws provide safe harbors for companies who have written cybersecurity polices and have taken the necessary steps to protect their data. Utah became the second state to provide safe harbor protections, and the federal government has provided some protection as well.
State Safe Harbor Laws
A new Utah law is entitled the Cybersecurity Affirmative Defense Act (HB80) and it amends Utah’s data breach notification statute. This new law provides an affirmative defense for companies facing lawsuits which allege:
- The company failed to implement reasonable information security;
- The company failed to appropriately respond to a data breach; or,
- The company failed to appropriately notify affected individuals.
The law, however, only provides an affirmative defense if the company can prove:
- They created and maintained a written cybersecurity program;
- The program reasonably complied with a recognized cybersecurity framework;
- The framework was in place at the time of the breach;
- The cybersecurity program had protocols for responding to a breach of system security; and,
- The company followed the protocols.3
The law defines a cybersecurity program as one which reasonably conforms with frameworks such as:
- National Institute of Standards and Technologies (NIST) frameworks such as 800-53, 800-171:
- Federal Risk and Authorization Management Program Security Assessment Framework (FedRAMP);
- Center for Internet security (CIS) critical security controls; or the
- International Organization for Standardization (ISO) 27,000 family of controls.
In 2018, Ohio passed a similar statute.4 The Ohio law provides for an affirmative defense for businesses that:
Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework.5
There is some flexibility in these statutes. Companies are not forced to adopt and implement an entire framework, but rather they need only reasonably comply. Both statutes allow companies to customize their policy and tailor their approach. Utah and Ohio allow businesses to tailor their approach using criteria such as:
- The size and complexity of the entity;
- The nature and scope of the activities of the entity;
- The sensitivity of the information to be protected;
- The cost and availability of tools to improve information security and reduce vulnerabilities; and
- The resources available to the entity.6
- The flexibility in this approach recognizes the limitations to small or medium-sized organizations’ resources while still providing protections from litigation.
Connecticut is also considering a similar statue.7 The proposed Connecticut law offers an affirmative defense if:
[The] covered entity created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework.8
The Connecticut law outlines a similar set of cybersecurity frameworks, such as NIST, ISO or FedRAMP, and, like Utah and Ohio, allows flexibility based on size and complexity of the organization, sensitivity of the data, cost and availability of tools and the resources of the entity.
Federal Safe Harbor Laws
Earlier this year, the federal government passed, and the president signed into law, the so-called HIPAA Safe Harbor bill.9 Under prior HIPAA/HITECH laws, an organization could face fines, audits, or the imposition of remediation remedies for cyber breaches and determined and imposed by the Secretary for the Department of Health and Human Services (HHS). Often health care organizations would argue, to no avail, that they had implemented all the cybersecurity measures they could afford to protect their information and their network, but they still suffered a cyber attack. The reality is that large organizations have very capable cybersecurity staff, but, despite their efforts and skill in defending their network, the exploitation of a single zero-day vulnerability or a single phishing email may expose a significant amount of sensitive data.
Under this new federal law, HHS may reduce fines, reduce imposed remedies or terminate an audit. The organization only need demonstrate that it had, for the prior 12 months, security practices in place that meet certain cybersecurity standards. These cybersecurity standards are defined as NIST, the Cyber Security Act of 2015, or other recognized cybersecurity programs developed by private industry.
Implications for Banking
The FFIEC established a framework for banking through the Cybersecurity Assessment Tool (“CSAT”). In the CSAT the FFIEC offers a baseline of declarative statements. These declaratives statements are then mapped to the FFIEC IT Examination Handbook and to the NIST standards. To date, none of the safe harbor laws directly recognize the CSAT as a framework, but, as an example, the Utah law allows the following:
(ii) reasonably conforms to the current version of any of the following frameworks or publications, or any combination of the following frameworks or publications:
(A) NIST special publication 800-171;
(B) NIST special publications 800-53 and 800-53a;
The mapping provided by the FFIEC in Cybersecurity Assessment Tool10 provides a direct correlation between the CSAT and the NIST standards. This correlation can provide banks with a strong basis for claiming benefits of such safe harbor provisions.
Conclusions
State and federal legislatures are recognizing the need to protect and incentivize companies for good cybersecurity. They are providing these incentives through safe-harbor laws. These laws recognize that businesses of all sizes have become victims of cyber attacks even after implementing robust cybersecurity protocols. These laws both incentivize the adoption of cyber frameworks and provide litigation safe harbors. These laws are the newest trends in cybersecurity law and banks, and companies of all sizes can take advantage of the safe harbors by adopting and implementing nationally recognized frameworks. Such measures will protect companies from overly litigious clients and customers. Banks can, and should, include direct references to recognized NIST standards in their own policies to protect their organizations as more such laws are surely on the horizon.
1 ComputerWeekly.com, “Banks face daily cyber-attacks, many of which succeed in stealing data, research finds”,
https://www.computerweekly.com/news/450417135/Banks-suffer- average-of-85-attempted-serious-cyber-attacks-a-year-and-one- third-are-successful, last visited April 29, 2021.
2 IBM and The Ponemon Institute, “2019 Cost of a Data Breach”, https://www.ibm.com/security/data-breach last visited on April 29, 2021.
3 Cybersecurity Affirmative Defense Act (HB80), Utah Code § 78B-4-702
4 Ohio Revised Code Section 1354, “Businesses Maintaining Recognized Cybersecurity Programs”.
5 Id at (A)(1)
6 Id at (C), and similar to Utah 78B-4-702 (4)(c)
7 Connecticut General Assembly, H.B. No. 6607, “AN ACT INCENTIVIZING THE ADOPTION OF CYBERSECURITY STANDARDS FOR BUSINESSES”
8 Id at (B)
9 H.R. 7898, Public Law 116-321, to amend 41 USC Sec. 17931 et seq., officially titled “To amend the Health Information Technology for Economic and Clinical Health Act to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes.”
10 https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_ to_NIST_CSF_June_2015_PDF4.pdf, last visited on May 1, 2021.