The information provided in this blog post does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Readers should contact their attorney to obtain advice with respect to any particular legal matter.
As cyber-attacks and successful breaches, particularly via ransomware, continue to increase1, it’s no longer a question of “if” an organization will be a victim, but “when.” And it is important to note that organizations can be sued for data breaches. There are cases that seem to offer a legal precedent for individuals to sue businesses that have not put the proper security protections in place to prevent data containing personal information from being accessed.
A cyber-attack or data breach can be devastating. Not only does the breached organization suffer the cost of remediating the damage done by the attack and perhaps paying a ransom to recover stolen data, but being temporarily inoperable can cause lost sales, in addition to the incalculable reputational damage the organization will experience2. The latest estimate of downtime to a business because of a cyberattack is 21 days3.
Add to that a potential one-two punch of lawsuits and regulatory sanctions targeting the breached organization, and it adds up to a profoundly negative impact on its long-term viability.
Responsible organizations that maintain personal information commit themselves to protect their network systems through dedicated or outsourced cybersecurity teams, robust security tools, and continuous staff training. But breaches will happen, no matter how diligent an organization is with its cybersecurity.
To incentivize organizations to be proactive with their cybersecurity, several states have introduced data breach litigation “safe harbor” laws that provide an affirmative defense to liability caused by data breaches. To be eligible for safe harbor protection, an organization must protect its data by implementing and maintaining cybersecurity programs that meet industry-recognized standards and be able to show reasonable compliance with them at the time of the breach.
Which cybersecurity frameworks are typically recognized for meeting safe harbor requirements?
Standards that are acceptable include:
- NIST CSF (National Institute of Standards and Technology Cybersecurity Framework)
- NIST 800-171
- NIST 800-53
- FedRAMP (Federal Risk and Authorization Management Program)
- ISO 27000
- CIS (Center for Internet Security “Critical Security Controls for Effective Cyber Defense”)
Businesses already regulated by the following frameworks must reasonably conform to them, and do not need to add the additional burden of complying with another standard:
- PCI DSS (Payment Card Industry’s Data Security Standards)
- HIPAA (Health Insurance Portability and Accountability Act)
- GLBA (Gramm-Leach-Bliley Act)
- HITECH (Health Information Technology for Economic and Clinical Health Act)
- FISMA (Federal Information Security Modernization Act)
Exactly what does “reasonably conform” mean?
The definition of “reasonably conforms” is partially satisfied by adhering to the above-mentioned industry-recognized security frameworks, but also takes into account: 1) the size and complexity of the organization; 2) the nature and scope of its activities; 3) the sensitivity of protected information; and 4) the cost and availability of tools to improve data security and reduce vulnerabilities.
Is cybersecurity safe harbor absolute?
No. If an organization was aware of a threat or vulnerability and did not act in a reasonable time to fix the issue and it resulted in a data breach, safe harbor cannot be used as a defense.
Safe harbor is a legal remedy for cyber-responsible organizations that provides them an affirmative defense to liability caused by data breaches if they implement and maintain a cybersecurity program that meets an industry-recognized standard and can show compliance at the time of the attack.
To help protect companies from cyber-attacks and data breaches, Fortress SRM provides full-spectrum cybersecurity services and works with a large network of attorneys, law enforcement agencies, insurance providers, and crisis communications firms. In addition to providing Security Consulting, Incident Prevention, Managed Security, and Incident Response services, Fortress can refer you to any cyber specialist you might need in the event of a ransomware attack or data breach.
- Average ransomware payments have grown 82% in the last year; from $312,000 in 2020 to $570,000 in 2021.Palo Alto Networks, 2021
- 93% consider an organization’s trustworthiness prior to purchasing. 59% would avoid doing business with a company cyber-attacked in the past 12 months.
Arcserve, 2020 - The average downtime a company experiences after a ransomware attack is 21 days.
Coveware, 2021