Gain Liability Protection From Data Breach Claims By Implementing Cybersecurity Frameworks

Cyber-attack methods evolve quickly, and they’re becoming increasingly sophisticated. Global cybercrime costs businesses $16.4 billion every day, with a ransom attack occurring every eleven seconds.

Chances are you have some security gaps at the moment. Do you have strong capabilities across all critical control domains including security assessment, access control, incident management and response, and configuration management? Further, have you made sure that your third parties — those cloud services you rely on to run your business — have adequate security controls and aren’t putting your organization in a vulnerable position?

At this time, most organizations would benefit from bringing more rigor and discipline into their security and compliance programs. Frameworks like the NIST Cybersecurity Framework (CSF), NIST SP 800-53, and ISO 27000 series provide comprehensive lists of activities that are proven to enhance an organization’s security posture. Additionally, doing this work can help your organization gain liability protection in the event that you experience a breach, lose personal information, and become the subject of lawsuits under multiple states’ cybersecurity laws.

In recent months, U.S. lawmakers have provided new incentives for organizations to implement certain well-recognized cybersecurity frameworks. States including Connecticut, Ohio, and Utah have passed new laws incentivizing organizations to adopt well-recognized cybersecurity standards/frameworks including the NIST Cybersecurity Framework, NIST SP 800-171, NIST Privacy Framework, ISO 27001, and PCI DSS.

Under these state laws, having a documented and operational cybersecurity program that aligns to one of these frameworks is an affirmative defense against data breach claims, brought under state law, alleging that failure to implement reasonable cybersecurity controls caused the data breach. Interestingly, none of these laws included SOC 2 in their list of “well-recognized cybersecurity frameworks”.

Hyperproof Can Help You Implement a Security Program Aligned to Best-In-Class Cybersecurity Frameworks

With Hyperproof, you can implement one or multiple best-in-class cybersecurity standards in the most efficient way possible. Hyperproof comes with templates for many cybersecurity frameworks that include the program’s requirements and illustrative controls you can use to jump start the work. Additionally, Hyperproof helps minimize duplicative efforts when complying with multiple frameworks; the system automatically suggests controls that can be leveraged to meet requirements in a new framework. Book a demo today.

Appendix A: Recent State Laws Incentivizing Organizations to Implement Best-In-Class Cybersecurity Frameworks

Connecticut, (PA 21-119): Under PA 21-119, An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses, any “business” (as defined below) that accesses, maintains, communicates, or processes personal information (as defined under the state’s data breach law referenced above, as amended by PA 21-59) may not be subject to punitive damages in a tort action alleging failure to implement reasonable cybersecurity controls resulting in a data breach involving personal information or “restricted information” (as defined below) if the business created, maintained, and complied with a written cybersecurity program containing safeguards conforming with an industry-recognized framework, unless the failure to implement cybersecurity controls was due to gross negligence or willful misconduct.

The law provides that a covered business’s cybersecurity framework may conform with industry standards if: (i) it complies with certain recognized information security standards, such as the “”Framework for Improving Critical Infrastructure Cybersecurity” published by the National Institute of Standards and Technology (NIST), or NIST’s special publication 800-171, among other standards; (ii) the business is regulated by HIPAA, Gramm-Leach-Bliley, or certain other federal or state laws imposing security frameworks, and the business complies with the requirements set forth in such laws or regulations; or (iii) the business complies with the Payment Card Industry Data Security Standard (PCI-DSS) and one of the NIST or similar information security standards identified in the law. The business’s cybersecurity program must be designed to protect the security and confidentiality of personal and restricted information, and protect against threats and unauthorized access to such information, and should be scaled based on the size of the business, and scope and sensitivity of data held.

OHIO HB376: In July 2021, Ohio introduced the Ohio Personal Privacy Act (OPPA) which states, “A business has an affirmative defense against allegations of violations of [regulatory enforcement or consumer lawsuits] if that business creates, maintains, and complies with a written privacy program that reasonably conforms to the National Institute of Standards and Technology Privacy framework entitled ‘A Tool for Improving Privacy through Enterprise Risk Management Version 1.0,’…” The NIST reference here is the NIST Privacy Framework.

UTAH H.B. No. 0080: In early March 2021, Utah became the second state to adopt a cybersecurity safe harbor statute that similarly references written and recognized frameworks and standards. Under Utah’s recently passed Cyber Security Affirmative Defense Act, entities that create, maintain, and reasonably comply with a written cybersecurity program may use their compliance with their cybersecurity program as an affirmative defense against data breach claims brought under state law. The frameworks referenced include the National Institute for Standards and Technology (NIST) special publication 800-171, 800-53, and 800-53a; Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense; and International Organization for Standardization/International Electrotechnical Commission (ISO) 27000 Family- information security management systems.

Federal HR 8998: In January 2021, a new federal law was signed that provides safe harbor to HIPAA covered entities and business associates from breach penalties and required audits if they implemented the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) for the prior 12 months.