States Are Offering Carrots As Well As Sticks
For the past several years states have been passing privacy laws that impose stiff penalties on organizations that mishandle the personal information of their residents. However, a growing number of states have passed legislation that can provide legal “safe harbor” to those organizations that implement and maintain security measures based on a recognized cybersecurity framework.
In recent years, Utah, Ohio, and Connecticut have enacted legislation that offers legal protection to organizations that have implemented and maintained strong security practices. Specifically, the laws cite several common cyber security frameworks that apply including NIST CSF, NIST 800-171, CIS, and ISO27001 among others. For those organizations in a regulated industry (HIPAA, SOX, CMMC, etc.) demonstrated compliance with those regulations apply. Several other states have proposed bills and pending legislation that will offer the same protection in those states. Additionally, some states, such as California, have included safe harbor provisions in their data privacy laws.
Under the legislation, should an organization find itself in court as the result of a cyber incident, the laws provide an affirmative defense for liability caused by data breaches if the organization can prove that it took reasonable steps to maintain security in accordance with a recognized standard.
With the cybersecurity threat landscape growing rapidly, the states are recognizing that organizations must improve their security practices and maintain a strong cyber security posture. However, we know that there is no 100% when it comes to cyber security. By enacting these laws, states are shielding those organizations that take reasonable steps to protect their data from the worst legal consequences.
Of course, safe harbor does not give an organization a "hall pass" in the event of a data breach. For instance if the organization was aware of a threat or vulnerability and did nothing to remediate it, safe harbor offers no protection. Organizations must not only implement the security framework, it must maintain it ongoingly. Proper maintenance of a security plan involves documentation, adherence to procedures, continual auditing, and change management. Security must become a part of the culture to be maintained.
Managed Service Providers can help their clients get this protection by, first, ensuring their own practices meet the requirements of an established cybersecurity framework. Then, the MSP can work with the client to ensure their internal practices align with the standard. Wrapping this in with a Compliance-as-a-Service offering can provide an additional revenue source for the MSP as well. By working strategically with their clients to protect their business both technically and legally, MSPs can provide more value and command higher rates.
There are few cases of the existing laws being tested in court. Often, it is challenging for the judges and jury to understand the details of technology related cases. Exactly how an organization proves that was in compliance with the standard, in a court of law, at the time of the breach is unclear and likely will vary by state and case. Ultimately, good documentation of procedures, log files, change management, and proof of past audits around the time of the incident are critical pieces of evidence that would be required to prove reasonable measures were taken. All of this is part of the compliance process regardless of the framework.
OTX Roundtable GRC
The adoption of a formal cybersecurity framework is a lengthy and laborious task. It is difficult to keep the goal front and center in the unpredictable nature of the MSP industry. OTX Roundtable GRC was created to offer a supportive environment for MSPs to create a security and compliance-centric culture within their practice. Members are committed to achieving compliance, support each other in the effort, and hold each other accountable to meeting the requirements. Find out more about joining OTX Roundtable GRC here.