Getting hit by a cyberattack is a nightmare scenario for any company. Businesses not only have to deal with lost productivity and the cost of IT repairs, but could also be on the hook for fines and legal damages if any sensitive data was exposed as a result of the breach. Given this incredibly bleak scenario, many organizations would rather ignore the risk, despite a steady rise in cybercrime over the past years.
To encourage businesses to take action and secure their IT infrastructure, several US states are trying a new tactic: cybersecurity safe harbor laws offer companies legal protection in the wake of hacks and data breaches, as long as they have implemented a cybersecurity program based on established standards like the NIST Cybersecurity Framework or ISO 27001. To put it simply, as long as your organization can prove that you had appropriate safety measures in place at the time of an attack, you are protected from legal claims and privacy lawsuits that would normally result from a data breach.
Read on to learn more about cybersecurity safe harbor laws in the US, including which states currently have safe harbor laws in place and how your business can reach the necessary level of IT security to qualify for protection.
Cybersecurity safe harbor laws are legislative acts designed to encourage businesses and organizations to take voluntary action and improve their cybersecurity. They do this by offering an incentive to companies that meet the specific requirements of a safe harbor law: an affirmative legal defense against lawsuits following a security incident. The extents of this protection vary from law to law, but the most common example is protection from tort claims that allege a lack of reasonable cybersecurity controls.
Laws like these are a relatively new phenomenon, with Ohio being the first state to establish a safe harbor as part of the Ohio Data Protection Act in 2018. Since then, two more US states have passed similar legislation and more are likely to follow. The topic of cybersecurity has received a lot of political attention following the Colonial Pipeline hack in May of 2021. Safe harbor laws, which provide positive incentives for implementing security standards, compliment stricter regulations such as the Executive Order on Improving the Nation’s Cybersecurity.
Note: An affirmative legal defense does not necessarily prevent your company from being sued, but will likely lead to the dismissal of the lawsuit and thus generally discourages legal action.
Requirements and Acceptable Frameworks
In order to rely on the affirmative legal defense offered by safe harbor laws, businesses must “create, maintain and comply with a written cybersecurity program” that “conforms to an industry recognized cybersecurity framework“. The reason lawmakers defer to industry standards instead of including a specific list of requirements is that digital technology and threats are constantly changing. Cybersecurity frameworks are regularly updated to reflect new developments, referencing them therefore removes the need to constantly change the law to keep up.
Despite minor variations, all currently existing cybersecurity safe harbor law recognize the same list of frameworks:
The NIST Cybersecurity Framework (as well as the special publications NIST 800-53(a) and NIST 800-171)
Additional requirements include that a cybersecurity program must be of appropriate scale and scope to the organization and be designed to protect personal and restricted information from both outside threats and unauthorized access. Similarly, organizations are required to update their program within a certain timeframe if the law or standard it is based on is revised.
How Can Safe Harbor Laws Improve Cybersecurity?
The topic of IT security is more relevant than ever in our increasingly interconnected society and economy. However, the way we discuss matters of cybersecurity tends to be incredibly punitive: the financial damages caused by a ransomware attack, the cost of restoring your network, the fines and settlements for data breaches, etc. While this approach is meant to highlight the importance of safety measures and scare people into action, it can actually have the opposite effect.
Think about it: You’re faced with a highly complex issue and told that making the wrong decision can have grave consequences. In this scenario, it’s not hard to see why an organization might feel tempted to do the absolute minimum, kick the can down the road or ignore the risk entirely. Obviously, “let’s wait and see” is not an effective approach to cybersecurity, but the temptation is understandable.
Safe harbor laws are meant to solve this problem and encourage businesses to deal with cybersecurity ahead of time rather than waiting until the worst comes to pass. By offering an incentive in the form of legal protection rather than a punishment (like a fine), they provide additional motivation for adopting IT safety standards. Especially when paired with traditional regulations and mandates.
HIPAA Safe Harbor Provision
Bill HR 7898, also known as the HIPAA Safe Harbor Act, was officially signed into law in January of 2021. Similar to the state laws covered in this article, it is meant to incentivize the use of cybersecurity standards in the healthcare industry. However, it does not extend the same level of broad legal protection.
As an amendment to HIPAA, the bill requires HHS to take existing safety measures into account when investigating breaches. A covered entity that has followed “recognized security practices” like the NIST Cybersecurity Framework for at least 12 months will see lower fines and shorter audits if an incident does occur. Importantly, the reverse is not true and organizations that do not follow a specific industry standard will not receive higher fines as a result of this change.
Risk Management Through Cyber Insurance
At first glance, cybersecurity safe harbor laws have a lot in common with cyber insurance: Both require companies to adopt reasonable security measures in order to qualify and both offer protection in the case of an incident, data breach or cyberattack.
However, it’s worth noting that safe harbor laws only apply to very specific cases like tort claims made against your company. Depending on the policy you choose, cyber insurance can protect you from both first- and third-party damages that result from a cyberattack. This means that everything from restoring your network, the revenue lost during your downtime and even the cost of legal fees and settlements is covered.
So while safe harbor laws might offer legal protection, cyber insurance is still an important addition to your company’s risk management strategy in order to protect it from the direct damages caused by hacks or malware attacks.
Difference to Safe Harbor Privacy Principles
Despite their similar name, cybersecurity safe harbor laws have nothing to do with the Safe Harbor Privacy Principles, a now defunct agreement between the EU and the US regarding the transfer of customer data. Whereas cybersecurity laws offer a safe harbor to companies that implement adequate protection, the Privacy Principles were concerned with the question of whether the personal data of EU citizens was sufficiently protected in the US.
The agreement was struck down in 2015 and replaced with the EU-US Privacy Shield, though negotiations and legal challenges are ongoing.
List of Cybersecurity Safe Harbor Laws by State
Connecticut: Incentivizing the Adoption of Cybersecurity Standards
The act protects businesses from punitive damages in any tort cases that allege that the breach was caused by “a failure to implement reasonable cybersecurity controls.” However, it does not apply in cases where the failure to implement was due to “gross negligence or wilful or wanton conduct.”
Ohio: Data Protection Act
The Ohio Data Protection Act of 2018 (Senate Bill 220) is the earliest safe harbor law for data breaches in the US. It amended various passages of Title 13 of the Ohio Revised Code (“Commercial Transactions”) to offer companies protection in the form of an “affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach.” The law does not include exceptions for negligence.
Utah: Cybersecurity Affirmative Defense Act
Utah’s Cybersecurity Affirmative Defense Act was signed into law on March 11, 2021. It offers an affirmative defense against claims that allege failure to implement reasonable information security controls, failure to appropriately respond to a breach or failure to notify affected individuals. To match these broad protections, the act also sets a higher bar for entities looking to qualify.
For instance, in order to count as a reasonable security program, it must include risk assessments and procedures to detect, prevent and respond to breaches. Additionally, companies must assign an employee to coordinate the program and take measures to train employees in the necessary safety practices. The act also includes several exceptions, such as if an entity had notice of a threat and did not act in a reasonable amount of time.
If you would like to improve the cybersecurity of your organization and meet the requirements of your local safe harbor law, the first step is to choose an established framework you would like to implement. Since these documents all cover the same topic, there is significant overlap in terms of their content. However, choosing the right safety standard from the start can help you avoid having to get certified multiple times, especially if you later require a certification for other reasons.
For companies primarily doing business in the US, the NIST Cybersecurity Framework or NIST 800-53 are often the most appropriate choice. If you are competing for government contracts or working in research, NIST 800-171 will prepare you for working with controlled unclassified information. If you have clients or contractors from around the world, choosing the ISO 27000 family can have the added benefit of its international recognition. However, unless your organization is required to comply with a particular standard or federal law (such as HIPAA), the choice is ultimately up to you.
Familiarize Yourself With Its Requirements
Although most people tend to think of information security as an IT topic, security frameworks typically include physical, organizational and technical safeguards. To keep data safe from manipulation and theft, it is equally important to protect it against outside forces like cyberattacks and unauthorized access from within your organization.
Insider threats and data theft from within are a particularly tricky aspect of data protection, since their own employees tend to be a blind spot for most organizations. This is just one of the reasons why limiting access to critical data according to the need-to-know or Least Privilege Principle is considered a best practice in information security.
Find Appropriate Software Solutions
Information security is not a singular issue, but comprises various different aspects such as network safety, intrusion detection, data backups and encryption, device and patch management or access control. Staying on top of all of these requirements is a logistical nightmare, but luckily there are dedicated tools that can help you automate various parts of your security program. Investing into automated software solutions will help you keep your data secure, while also freeing up your IT staff to deal with more productive tasks.
Meet Cybersecurity Standards With tenfold IAM
IAM or Identity and Access Management is one of the cornerstones of information security. By restricting access to the minimum level required for each role and eliminating outdated and unnecessary permissions, IAM solutions help businesses combat both cyberattacks and insider threats. There’s a reason why authentification and access control are key partsof every cybersecurity standard from NIST to the CIS Controls and ISO 27001.
While IAM does not cover every requirement of cybersecurity frameworks, it offers a solid foundation for improving your overall level of data protection, and it does so while saving you time and money by automating many routine tasks involved with user management.
tenfold specializes in IAM for mid-sized businesses: Our access management solution can be set up quickly, is easy to use for everyone from IT admins to HR staff and offers out-of-the-box support for various Microsoft services (like Azure AD or Microsoft 365) and third-party applications. Learn more about our philosophy, our range of plugins and why you should choose tenfold!
[FREE WHITE PAPER] IAM Software Solutions Compared
Read our white paper to learn about the different types of IAM products available on the market.