[BreachExchange] Should There Be ‘Safe Harbor’ Against Data-Breach Lawsuits?

[Destry Winant]

https://www.datacenterknowledge.com/regulation/should-there-be-safe-harbor-against-data-breach-lawsuits

Sometimes, you do the best you can, but things happen anyway.

You follow all the best practices, all your systems are locked down,
you spend twice as much as your peers on cybersecurity, you have cyber
insurance in place, and a hacker still gets through. You get sued,
there's a judgment against your company that's more than the maximum
payout on your cyber insurance policy, and you're out of business.
Your company is paying the price for something completely out of its
control.

Some industries have "safe harbor" laws to protect companies against
these kinds of problems. Take, for example, copyright infringement
lawsuits against websites. If your website has stolen content on it,
then you're in the wrong and should have to pay for it. But what if
the stolen content was uploaded by a random user, and you didn't know
that the content was stolen? The Digital Millennium Copyright Act in
the US and similar laws in most other countries protect companies from
lawsuits as long as they do their best to take down infringing content
as soon as they're told about it.

Now Ohio has a similar law – but for data breaches. The state’s Data
Protection Act went into effect in late 2018 and unlike the recent
privacy-related laws passed by California and Colorado, instead of
punishing companies when things go wrong, it rewards them for doing
the right things.

What the Law Means for Data Center Operators

In many industry verticals, data centers already have to meet
cybersecurity standards, so the law will add some legal protections
without much additional work.

For example, data centers with customers in the federal government,
financial services, and healthcare must comply with FISMA for
government, PCI-DSS for payments, and HIPAA for health care.

Those data centers won't need to do any additional work to be covered
under the Ohio law, said Michael Magrath, director of global
regulations and standards at OneSpan, a security company based in
Oakbrook Terrace, Illinois. "I would expect data center managers to
applaud the new law, as it provides safe harbor for their existing
business practices," he said.

For data centers that don't currently fall under these regulatory
requirements adopting a cybersecurity framework would be a good idea
in any case. To qualify for "safe harbor" under the Ohio law, a
company must create a cybersecurity program that falls under one of
eight such frameworks: two NIST frameworks, FedRAMP, ISO 27000, HIPAA,
Graham-Leach-Bliley, FISMA, and the Center for Internet Security
Critical Security Controls framework.

The NIST cybersecurity framework is a good place to start, said George
Wrenn, founder and CEO at CyberSaint Security, a Boston-based risk
management company. This framework was released five years ago and is
now a widely used government standard, according to him.

"Framework adoption has drastically helped information security
organizations and CISOs – including myself – standardize cybersecurity
best practices," he said.

A Positive Step for Cybersecurity

Ohio is leading the way here, said Colin Bastable, CEO at Lucy
Security, an Austin-based cybersecurity training company.

"This is a very good contribution to the fight for cybersecurity," he
said. "Security starts with written policy, and this legislation
rewards businesses and organizations that put in place best-practice
security policies."

And even though the scope of the law is limited to the state of Ohio,
organizations shouldn’t limit their compliance only to things they do
in the state. "It is a good idea to act as if this legislation applies
nationally," Bastable said. Even if compliance isn't considered a
mitigating factor in a courtroom, using a solid security framework
will help reduce the likelihood of a breach in the first place.

However, courts already consider a companies’ security controls, said
attorney Jeremy Byellin, VP for law and regulations at Shared
Assessments, a Santa Fe-based industry group focusing on corporate
risk. "The law is still very new, so it will be interesting to see how
it plays out on the legal landscape," he added.

The true impact will only be felt when other states, or even the
federal government, roll out similar versions of the law. "There’s no
doubt that one or more additional states will follow Ohio’s example,"
he said. "And it isn’t too far-fetched to imagine the federal
government enacting some kind of similar measure."

Limitations of the Law

Until other jurisdictions follow suit, the impact of the Ohio law will
be limited.

Unless a data center decides to move to Ohio, the law won't have much
practical effect, said Matan Or-El, CEO and co-founder at Panorays, a
New York-based security vendor.

"And even if they do, they still will have to go to court and prove
that they followed the correct procedures and that the threat was
unexpected," he said.

Plus, the law only applies to tort claims, he pointed out. "It does
not protect against statutory and contract-based claims, which are
common for data breaches.”

Another criticism of the law is that the requirements might not be
strict enough, since the cybersecurity threat landscape changes much
faster than the frameworks do. "Meeting those should be table stakes,"
said Willy Leichter, VP of marketing at Virsec Systems, a San
Jose-based cybersecurity firm.

Ultimately, businesses have to be accountable for the data they hold.
"Letting them off the hook because they gave it their ‘best effort’ or
followed outdated standards seems like we’re lowering the bar too
far," he said.
b