States enact safe harbor laws against cyberattacks, but demand adoption of cybersecurity frameworks

Connecticut might soon follow Ohio and Utah by enacting a law that offers liability protection against ransomware and other cyberattacks, but only if victims follow security best practices.

While sophisticated ransomware and nation-state threat actors target US critical infrastructure, the only protection most organizations have against these attacks is tight and effective cybersecurity. These attacks have drawn government attention and sparked calls for liability protection against malicious intrusions. If organizations want this protection, however, lawmakers say they need to step up their game to implement better cybersecurity practices.

During a Senate Intelligence Committee hearing last month, Chairman Mark Warner (D-VA) said, "While I am very open to some level of liability protection, I'm not interested in a liability protection that excuses the kind of sloppy behavior, for example, that took place in Equifax, where they didn't even do the basic cyber hygiene."

“Cyber hygiene” is not enough, as former National Security Council (NSC) cybersecurity director Robert Knake recently wrote. "Basic cybersecurity hygiene, such as strong passwords, multifactor authentication, vulnerability patching, and next-generation antivirus software, is not sufficient against these groups," Knake wrote. "Instead, organizations should invest in security and operational vigilance, as these actors will take advantage of any mistake that defenders make."

Against the backdrop of this heightened federal-level focus, a number of states have quietly moved forward with their own liability exemption measures that seek to boost best cybersecurity practices. These states have enacted laws that incentivize the adoption of robust and thorough industry-leading cybersecurity frameworks and recommendations such as the National Institute of Standards and Technology’s [NIST] Cybersecurity Framework or the Center for Internet Security’s (CIS) Critical Security Controls by making them requirements for obtaining liability protections.

Kamala Harris got the safe harbor ball rolling

Vice President Kamala Harris kicked off this trend in February 2016 when she was California's attorney general. In the state's data breach report issued under her signature, the first recommendation was:

The 20 controls in the Center for Internet Security's Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization's environment constitutes a lack of reasonable security.

By defining what constitutes "reasonable security" as adopting a recognized set of industry security controls, California paved the way for other states to likewise adopt similar definitions of reasonable security.

In 2017, Nevada revised a statute related to personal information records security that requires the state data collectors to implement and maintain "reasonable security measures" to protect such records.  In 2019, Nevada clarified the definition of what constitutes reasonable security by passing a bill, which became effective on January 1, 2021, requiring the state data collectors to comply with or follow the CIS Critical Security Controls or the NIST Cybersecurity Framework. Nevada plans to augment that legislation with a new bill that gives organizations that implement the programs spelled out by CIS, NIST and other organizations a safe harbor to provides them with an affirmative litigation defense in breach lawsuits. SOURCE