Kamala Harris got the ball rolling - States enact Safe Harbor laws against cyberattacks, but demand adoption of cybersecurity frameworks
The requires that a covered entity’s written cybersecurity program be designed to:
protect the security and confidentiality of personal information;
protect against any anticipated threat or hazard to the security or integrity of personal information; and
protect against a breach of system security.
The Act also requires that a covered entity’s written cybersecurity program “reasonably conform to an industry-recognized cybersecurity framework.” It lists “the framework for improving critical infrastructure developed by [the National Institute of Standards and Technology]” (NIST) and the “Center for Internet Security Critical Controls for Effective Cyber Defense” (CIS), among others, as industry-recognized.
Cybersecurity Safe Harbors - An Incentive for Organizations to Safeguard Personal Information
In 2018, the Ohio legislature enacted the Ohio Data Protection Act. The Ohio Act enables a defendant in lawsuits to assert as an affirmative defense that it safeguards personal information or has a written cybersecurity program that conforms to an industry-recognized cybersecurity framework. The Ohio Act does not use the term “breach of system security” but instead uses the term “data breach” which means something substantially similar.
Under the Ohio Act an “industry-recognized cybersecurity framework” is limited to frameworks promulgated by certain industry organizations (e.g., NIST, CIS, and the Payment Card Industry Data Security Standard (PCI)) and applicable regulatory schemes (e.g., the Health Insurance Portability and Accountability Act (HIPAA) for protected health information, and the Gramm-Leach-Bliley Act (GLBA) for financial institutions).
New York has a similar but narrower version of the Proposed Act and the Ohio Act. Enacted in 2020, New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) requires that organizations that collect data maintain reasonable security according to applicable regulatory schemes (e.g., GLBA, HIPAA) and also specific agencies such as the New York State Education Department and its Department of Motor Vehicles. Just as the Proposed Act is not the first to provide a cybersecurity safe harbor, it is also not the first to require a written cybersecurity program.
Written Information Security Programs (WISPs) – An Industry Standard
Oregon, Massachusetts, and Rhode Island require organizations to develop and implement a WISP that includes administrative, technical, and physical safeguards for personal information. Each of these states provides detailed requirements of what should be included. Key elements include:
proper training for employees about appropriate cybersecurity best practices;
auditing programs and practices regularly to ensure they are reasonable and appropriate considering the data collected and resources of the organization;
designating an employee to oversee the WISP; and
maintaining an incident response plan that details how an organization will respond to a breach of system security or data breach.
A WISP should also include a section that addresses how an organization will ensure its vendors safeguard personal information. Oregon, Massachusetts, and Rhode Island all require organizations to not only select vendors capable of implementing appropriate security practices but to maintain contracts with these vendors regarding security safeguards and practices. It naturally follows then, that the Utah Act also requires organizations to ensure that vendors have administrative, technical, and physical safeguards in place for any personal information that organizations provide to their vendors.
Just as cybersecurity threats continue to rapidly evolve, so too do the legal landscape and industry standards designed to safeguard personal information. If you have any questions about the Proposed Act, the safe harbors provided in other similar statutes, or would like to consult about your organization’s WISP, please contact your regular AT attorney or one of those listed on this advisory. SOURCE