Ever since the European Union released the General Data Protection Regulation (GDPR) more than three years ago, state governments across the U.S. have taken steps to establish their own cybersecurity compliance standards. Some of the more recent legislation has come from California and Colorado. Both of these regulations outline the punitive measures that an organization will face should they experience a data breach due to an act of negligence. Punitive fines traditionally enforce companies to comply. Unfortunately, there are organizations that fall under the jurisdiction of these state compliance regulations but still remain noncompliant. Hence the old adage, you can lead a horse to water but you can’t make him drink, may hold true when it comes to coaxing organizations to take appropriate security measures.
Creating a Safe Harbor for Compliant Enterprises
Some states are now choosing to take a different approach when it comes to cybersecurity compliance, one that is based around perks rather than punishments. The idea is to motivate organizations to take the necessary steps to secure their network infrastructures with an affirmative defense for civil lawsuits resulting from a cybersecurity incident.
Connecticut’s Safe Harbor Regulation
Connecticut passed a law on July 6, 2021 that creates a safe harbor for companies that implement reasonable cybersecurity controls. The law states that in the event of a data breach-like incident that involves personal or restricted information, the Superior Court shall not assess punitive damages against a covered entity if such entity created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework. The current set of recognized frameworks include the following:
- Three different NIST standards
- ISO 27000 series
- CIS Controls – The Center for Internet Security’s “Center for Internet Security Critical Security Controls for Effective Cyber Defense”
- The Health Insurance Portability and Accountability Act (HIPAA)
- Gramm–Leach–Bliley Act
In order to retain their safe harbor status, organizations must conform to any new revisions of these standards within six months of their publication. Companies subject to PCI DSS must also comply. The law also clearly states that that the provision of safe harbor does not apply if it is found that a company failed to implement reasonable cybersecurity controls or if the data breach was the result of gross negligence or wanton conduct. Like most government regulations, the scope of the law is based on factors such as a company’s size, the complexity of its operations and the cost and availability of security controls.
The Connecticut law also expanded the definition of personal information to include data types such as subscriber information, government ID numbers and biometric information. It also shortened the notification window for which companies must alert involved parties of a breach involving their personal data (from 90 days to no more than 60). In addition, the law now allows companies to alert affected parties of a breach concerning their personal login credentials through electronic means.
Connecticut isn’t the only state to take this approach. Ohio was the first state to blaze the trail of providing an affirmative defense to escape punitive damages from civil suits levied against companies that were in compliance with a recognized cybersecurity standard at the time of a security incident. Utah passed a similar law in March of 2021 to encourage entities to maintain reasonable safeguards to protect personal information. Other states considering a carrot stick approach include Georgia, New Jersey and Illinois.
Defining Reasonable Security and DoCRA
All of these new affirmative defense laws involve the determination of what a reasonable level of security is. This is also commonly referred to as “duty of care” or “due care.” Determining what one’s duty of care is necessary in order to establish the correct balance between reasonable security and reasonable burden. After all, cybersecurity protection isn’t free. One method of determining this acceptable equilibrium is the Duty of Care Risk Analysis Standard (DoCRA). DoCRA outlines the processes for evaluating risks and their safeguards in a way that is easily communicated and accepted by authorities such as regulators and judges or anyone who needs to determine whether foreseeable harm could have been prevented by safeguards that would pose a reasonable burden.
In February of 2021, the Sedona Conference Working Group 11 (WG11) released a commentary on a reasonable security test. The purpose of the test is to help regulatory and litigation communities ascertain whether or not an organization implemented reasonable cybersecurity. Like DoCRA, “the test” would consider both the involved risks as well as the burden of implementing the proposed controls to protect against them. In an era in which it seems so many parties are scrambling to define “reasonable,” this reasonableness test assists in establishing whether or not a given party met their legal obligations in the event of a cybersecurity incident.
A Holistic Approach to Mitigating Risk
There is no doubt that there is a cost and burden to implementing security controls. The question is, just how many security controls does one need to implement and support? Too often, companies apply a best of breed approach to cybersecurity. A new threat is discovered, and security vendors then release a new solution to address it and convince companies to purchase and implement it. What happens as a result is a disparate group of security tools that work in isolation of one another. This fragmented approach creates attention gaps as personnel must swivel from one tool to another to monitor the enterprise. One should not assume that more tools equal greater security. This paradox was recently exemplified in Cisco’s 2020 CISO Benchmark Survey that exposed a defined correlation between the amount of security related downtime experienced by an organization and the number of security vendors it used.
- 73% of those that utilized 50+ security vendors experienced 4+ hours of downtime
- 56% of those that utilized 6-10 security vendors experienced 4+ hours of downtime
- 58% of those that utilized 2-5 security vendors experienced 4+ hours of downtime
- 49% of those that utilized 1 security vendor experienced 4+ hours of downtime
A similar correlation was found concerning the number of records impacted during a breach.
- 81% of those that utilized 50+ security vendors had 10,000+ records impacted
- 54% of those that utilized 6-10 security vendors had 10,000+ records impacted
- 35% of those that utilized 2-5 security vendors had 10,000+ records impacted
- 16% of those that utilized 1 security vendor had 10,000+ records impacted
Because this silo approach to cybersecurity is not achieving the results that companies are seeking today, many companies are looking at cybersecurity from a more holistic view. This starts with the creation of an effective cybersecurity strategy that utilizes a coordinated approach across all operating units of the organization – from IT to the C-Suite to the customer-facing teams. Security controls are then selected not according to the latest “buzz” but whether they can work interactively with one another, creating blanket level security.
How HALOCK can Help
If you’re confused as to what the definition of reasonable is or you want to ensure that you can escape the punitive damages of a cybersecurity lawsuit even if you don’t live in Connecticut, then contact HALOCK Security Labs. As partners with CIS in authoring CIS RAM, serving on the DoCRA Council, and contributing to the Sedona Conference, we are fortunate to have a full perspective of what constitutes reasonable to litigators, regulators, and organizations. We can partner with you to create a more holistic approach to cybersecurity. Leveraging the reasonable risk approach provides the proper insight into developing effective security strategies. Manage your risk to be reasonable and appropriate to your environment and protect the privacy of your data.