Safe Harbor Laws: A New Approach to Data Security Regulation

As online threats become more prevalent, many businesses and government institutions are looking to implement a more robust cybersecurity plan. Organizations continue to transfer data from physical files to online documents to ensure easier access and greater workplace productivity and online efficiency. A disruption in the flow of the online work environment can prove to be deadly should any threat occur. As more users begin to work online, the larger the risk of a cyber attack becomes. One of the biggest threats to a large corporation is a breach of data.

A data breach is a security incident in which information is accessed without proper authorization. These breaches can prove to be very costly for businesses and consumers as sensitive information can be stolen or manipulated to damage a person or organization's reputation. Corporations, both big and small, are key targets for cybercriminals due to the massive amount of information stored on company devices. A study determined that the average cost of a data breach on a global scale is around $3.6 million, but the cost for US organizations is much higher at nearly $7.4 million.

A data breach can occur in various ways, including:

Using out-of-date software that can easily allow hackers to sneak malware onto a computer.

Creating weak passwords that hackers could guess.

Unintentionally downloading a virus by clicking on a non-secure link.

Getting compromised by a targeted malware attack by opening a non-secure email or attachment.

Email is one of the most common ways malware can end up on a device. Without proper precautions, breaches are more likely to occur, and legal action is probable. Organizations must recognize the power of a robust email security solution to avoid these threats and avoid the actions that follow an attack.

A data breach could not only prove fatal for business but could also invite a host of legal obligations. In our next section, we shed some light on data breach lawsuits.

Data Breach Lawsuit

Though many may view data breaches as information technology problems, cybersecurity breaches must also be viewed as legal events as they trigger legal obligations. When a business suffers a cybersecurity incident, it must comply with federal and state laws and regulations dictating that the victims of a cybersecurity incident must give notice the breach, how it occurred, when, and to whom.

Fifty-one U.S. jurisdictions, including 47 states, have enacted data breach notification laws, which mandate notice of a covered breach to affected individuals. These laws specify the steps that a company must take in response to a breach that affects residents of that state. These laws are similar across jurisdictions, however, some variations occur while defining factors of a breach. These factors include the specifications behind a breach and identifiable personal information, along with the notifications that would follow a breach, including the timeliness of them and the level of harm intended.

Data breach lawsuits can range from large class actions to a single person file. These suits can be filed by consumers, financial institutions, major businesses, and credit card companies that have all been affected by a breach. Most of these data breach lawsuits are filed specifically by victims. Most included causes of action for negligence, breach of contract, breach of warranty, breach of fiduciary duty, false advertising, and unfair or deceptive trade practices.

Safe Harbor Law

With the threat of data loss and the following retribution of data breach lawsuits, many organizations are searching for a way to implement security while also ensuring their business avoids getting sued. Recent jurisdictions in Ohio and Utah have begun implementing safe harbor laws for cybersecurity. This new law creates an incentive for businesses to develop and implement a written cybersecurity program to protect themselves against data breach lawsuits.

When a business fails to adequately protect its customers' credit card information, a single hacking incident can enable a hacker to acquire the confidential data of millions of consumers. Consumer protection attorneys often bring cyber security data breach lawsuits as consumer class actions on behalf of large numbers of consumers whose credit card information was obtained from a negligent corporation's records. A class action enables these consumers to join together in seeking compensation and other relief from the corporation whose inadequate security is responsible for the breach.

House Bill 158, referred to as the Cybersecurity Affirmative Defense Act, states that if at the time of a data breach a covered entity has created, maintained, and complied with a written cybersecurity program it has an affirmative defense to a civil tort claim.

The Act provides protection to persons that create, maintain, and reasonably comply with industry-recognized cybersecurity regulations, like the NIST, ISO 2700, and the HIPAA Security Rule, among others identified in the Act. The written cybersecurity program must provide administrative, technical, and physical safeguards to protect any private and personal information.

The Act establishes the following three affirmative defenses to tort-based claims brought under Utah law in a Utah state court:

A person that creates, maintains, and reasonably compiles with written industry-recognized cybersecurity regulations that were in place at the time of the breach has an affirmative defense to a claim that the person failed to implement reasonable information security controls that resulted in the breach.

A person that creates, maintains, and reasonably complies with their program and also had in place protocols for responding to a breach of system security at the time of the breach has an affirmative defense to a claim that the person failed to appropriately respond to a breach of a security system.

A person that creates, maintains, and reasonably compiles with their program and also had in place protocols for notifying an individual about a breach at the time of the breach has an affirmative defense to a claim that the person failed to appropriately notify an individual whose personal information was compromised in a breach of a security system.

An organization must prove its defense by showcasing that it created, maintained, and obeyed a written cybersecurity program. The program in mention must be specifically made to handle the size, complexity, and processing activities of the organization. In addition, the program must also be created with the resources, sensitivity of the information, and cost of tools necessary to provide strong security in mind. Most importantly, the program must be designed to maintain security, protect the confidentiality, and fight against threats or any risks that could lead to identity theft, fraud, or an invasion of privacy. Lastly, the program must comply with designated industry or government cybersecurity frameworks.

Other Cybersecurity Laws

Safe Harbor is a unique incentive for voluntary compliance with cybersecurity measures that contrasts with laws in other states. Some regions like New York and Massachusetts opt to punish noncompliance with cybersecurity provisions.

The NYDFS Cybersecurity Regulation works by imposing strict cybersecurity rules on covered organizations, including the installment of a detailed cybersecurity plan, the designation of a Chief Information Security Officer (CISO), the enactment of a comprehensive cybersecurity policy, and the initiation and maintenance of an ongoing reporting system for cybersecurity events. These components are all made up of several sub-regulations and requirements.

A cybersecurity program that complies with the new NYDFS Cybersecurity Regulation will adhere to several key requirements, aligned to the NIST Cybersecurity Framework:

Identify all cybersecurity threats, both internal and external.

Employ defense infrastructure to protect against those threats.

Use a system to detect cybersecurity events.

Respond to all detected cybersecurity events.

Work to recover from each cybersecurity event.

Full various requirements for regulatory reporting.

It is important to note that many states do continue to require a written cybersecurity program as part of their own data security laws; however, these particular cybersecurity programs do not give organizations the wiggle room to recover from an error or not be threatened by a lawsuit.

The Utah and Ohio laws provide incentives for companies to protect the information in light of the safe harbor from certain litigation claims after a data breach. The new law seeks to drive companies to put into place a similar program without actually requiring a written program. The advantage of creating a safe harbor law for all organizations is that a cyber plan is adapted to reduce the risk of data threats. According to research that has analyzed this framework, data security for both businesses and consumers can reduce cyber attacks by 83%.

Summary

Utilizing this defense, businesses can now deny liability in cases where they are being accused of not implementing any form of cybersecurity following a significant breach in data. The measures that both Ohio and Utah have taken have led many others to admire and wish to follow a similar state-mandated protocol. While this current scope of the law is limited to these two states, it does not mean organizations should continue to be less than diligent about data security. A strong cybersecurity framework can greatly reduce the risk of a breach in the first place without having to worry about the after-effect of a detrimental lawsuit in addition to what has already been lost.

When looking for the right tools to fit your organization's cybersecurity network, check out Synametrics. Offering the latest in file management, spam filtering, and backup and restoration, data loss is no longer a threat when utilizing these products. For more information, please click here .

---

Created on:	May 25, 2021
Last updated on:	Jul 24, 2024

---

---