Cyber Safe Harbors

Getting hit with a cyber attack is awful.

With most attacks including both ransomware and data exfiltration (i.e. grabbing all the data), there's a double whammy right from the start.

The news can get worse when the attorneys start calling. Post-breach, organizations are finding they may have legal liability.

Now I'm just sounding pretty negative, so let's flip this post back to something positive...

So far, three states have passed Cybersecurity "Safe Harbor" laws to provide guidance on affirmative defenses to avoid that third gut punch of legal liability. (As always, this is NOT legal advice - it should come as no surprise that we're not attorneys here.)

Those states are: Ohio, Utah and Connecticut.

Good news: the requirements are understandable and clear.

We'll give some highlights of each below, and you'll notice the overlap amongst each state's rules:

Ohio

Ohio is the OG in this one - their law dates back to 2018.

Where do we start?

• Develop a written cybersecurity program that conforms to an “industry recognized cybersecurity framework” (more on that later)
• Maintain compliance with that program

What does my program need to do?

• protect the security and confidentiality of restricted or personal information
• prevent “anticipated threats or hazards to the security or integrity” of that information
• secure any access to sensitive information and prevent unauthorized acquisition

Adequately following Ohio's Section 1354.02 grants organizations "an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state..."

Utah

Next up is Utah, which passed the Cybersecurity Affirmative Defense Act (H.B. 80) in March of 2021:

Where do we start?

• Create and maintain a written cybersecurity program that follows an established cybersecurity framework (again, more on that later)
• Ensure the program is live at the time of any attack in question

What does my program need to do?

• protect the “security, confidentiality, and integrity of personal information”
• protect against any anticipated threat or loss or that information
• protect against a breach of system security

Utah also states that the program should take into account things like:

• the size and complexity of the organization
• the “nature and scope” of the organization’s activities
• the sensitivity of the information under protection
• the availability and cost of security tools

Connecticut

And let's move on to Connecticut, who names its laws ever so effectively like - "An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses". I mean, I'm no lawyer (remember that disclaimer above), but it seems they could do a little better there.... Ok, on to the rules:

Where do we start (don't gasp)?

• Create and maintain a written cybersecurity program that follows an established cybersecurity framework (and again, more on that at the end)
• Ensure that program is updated as the identified framework changes

And from there, Connecticut makes it easy - they simply highlight the qualifying regulations to allow organizations to stand on this affirmative defense.

Which Regs?

Ok, let's put a bow on this thing.

You've noticed that each one of these states requires compliance with a written cybersecurity program. That program must follow an established and accepted regulation or framework.

So now what are some of the conforming regulations and frameworks?

• NIST 800-171 (The National Institute of Standards and Technology)
• NIST 800-53 and 800-53a
• FedRAMP Security Assessment Framework - The Federal Risk and Management Program
• ISO/IEC 27000
• HIPAA’s Security Rule
• PCI DSS - Payment Card Industry Data Security Standard

All of these require work to accomplish, but compliance with these standards provides an excellent security foundation.

As you might have suspected, INFIMA provides its Partners with Security Awareness Training Policies, built for each client.

And hey, if you're an MSP and want to learn more, go check out how we work with Partners here. If you like what you see, book a time to chat!

Disclaimer: we're not attorneys, never want to be attorneys, and shouldn't be relied on as providing legal advice!