You are here

You are here

Why safe harbor is the best way forward for data protection

public://pictures/swm.jpg
Stan Wisseman Chief Security Strategist, CyberRes
 

Data breach notification laws have become popular among the states—all 50 have them—as well as in the District of Columbia, Guam, Puerto Rico, and the Virgin Islands. Once these measures are on the books, though, states continue to tinker with them. This year, for example, 22 states have introduced or considered bills amending existing laws.

Many of the alterations focus on changing the time required to report a breach, expanding who needs to report a breach, redefining what's considered personal information, and requiring reporting of breaches to the attorney general or another regulator in the state.

Some states are considering providing incentives for organizations to beef up their security by providing them with an affirmative defense in civil lawsuits if it can be shown that reasonable security practices were in place at the time of a data breach. Motivating organizations to address data privacy can be difficult. Hence, the incentive.

Here's why incentivizing data protection with so-called safe harbor provisions is the best approach to bolstering cybersecurity.

Safe harbor for meeting standards

Unlike the punitive approach adopted by states such as California and Colorado, states using the incentive approach try to encourage higher levels of cybersecurity by creating a "safe harbor" from data breach litigation by implementing industry or government security standards.

This year states considering bills with affirmative defense provisions include Georgia, New Jersey, Illinois, and Connecticut. Nevada rejected a measure that would have provided immunity from liability for damages if certain security controls or standards are in place. Meanwhile, a measure establishing an affirmative defense was enacted in Utah.

The Cybersecurity Affirmative Defense Act (HB80) is an amendment to Utah's data breach notification law, creating several affirmative defenses for persons facing a cause of action arising out of a breach of system security, and establishing the requirements for asserting such a defense.

The basic intent of the act is to prod individuals, associations, corporations, and other entities to maintain reasonable safeguards to protect personal information by providing an affirmative defense in litigation flowing from a data breach. The incentive is that a person who creates, maintains, and reasonably complies with a written cybersecurity program that is in place at the time of the breach will be able to take advantage of an affirmative defense to certain claims under the act.

The act does not provide any affirmative defense if the person had actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information; if the person did not act in a reasonable amount of time to take known remedial efforts to protect the personal information against the threat or hazard; or if the threat or hazard resulted in the breach of system security. These exclusions are a reminder that a cybersecurity program is not a “write it and forget it” exercise. They put organizations on notice that cybersecurity programs are a risk management tool for a business entity.

Utah isn't alone in establishing an affirmative defense to claims arising from a data breach. Back in 2018, Ohio enacted the Ohio Data Protection Act (SB 220), similarly providing a safe harbor for businesses implementing and maintaining "reasonable" cybersecurity controls.

In a "client alert" published at the time the Ohio law was enacted, the law firm Franz Ward explained that to qualify for the defense, a business must implement written cybersecurity measures designed to protect the security and confidentiality of personal information, protect against any anticipated threats or hazards to the security or integrity of the personal information, and protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.

Beyond that, a covered entity’s cybersecurity program must “reasonably conform” to one of several industry-recognized or regulatory frameworks, such as the National Institute of Standards and Technology Cybersecurity Framework, the Federal Risk and Authorization Management Program, the Security Rule of the Health Insurance Portability and Accountability Act, or the Payment Card Industry’s Data Security Standards, among others.

Protections are good but limited

The law's protections are noticeably limited in scope to certain types of tort claims, leaving even those businesses that have robust cybersecurity programs vulnerable to statutory violations, such as data breach notification requirements, or claims based in contract, such as a business-vendor dispute.

New York has a similar but narrower version of the Utah and Ohio statutes. Enacted in 2020, New York’s Stop Hacks and Improve Electronic Data Security Act requires that organizations that collect data maintain reasonable security, according to applicable regulatory schemes—such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act, which requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data—and also specific agencies such as the New York State Education Department and its Department of Motor Vehicles.

Will safe harbor spread?

This affirmative defense model established by Utah and Ohio should be a win for both companies and consumers, since it encourages heightened protection of personal data while providing a safe harbor from certain claims for companies facing data breach litigation. Given that tying reasonable cybersecurity practices to adoption of the recognized frameworks is voluntary, it seems likely that other states will pick up the baton, particularly since there are no comparable definitions of reasonable cybersecurity at the federal level.

All in on what works for data privacy protection

If leveraging an affirmative defense approach motivates organizations to act and implement data privacy protections, I’m all for doing it. Creating, maintaining, and complying with a robust data protection program is a critical risk management and legal compliance step they should take, and one that might provide protection from litigation following a data breach.

Keep learning

Read more articles about: SecurityData Security