Developing and maintaining a robust cybersecurity program is an investment. Recently, numerous state legislatures have proposed a return on that investment in the form of statutory incentives for organizations who maintain certain safeguards on protecting sensitive information. Importantly, these statutory incentives give yet another reason to persuade management that your organization should invest in cybersecurity.
The New Legislation
As we wrote about a few weeks ago, New York proposed legislation that would provide a safe harbor against regulatory enforcement to companies that meet reasonable security safeguard standards. Follow New York’s lead, the Ohio legislature recently proposed a bill with a similar incentive for those companies who meet certain security standards. Rather than a regulatory safe harbor, however, the proposed Ohio incentive is an affirmative defense in litigation available to companies who have been proactive in protecting sensitive customer information. This defense could allow a company to defeat or mitigate the legal consequences of a breach if it can prove that certain safeguards were in place at the time of the breach.
Under the proposed legislation, to assert the defense, businesses must implement their own cybersecurity programs using one of eight industry-specific frameworks developed by the National Institute of Standards and Technology (NIST). The bill does not make explicit any minimum standards. Rather, the bill intentionally lacks such detail so the legislature does not need to continually revisit the bill to update the standard as technology evolves. A judge will ultimately determine whether a business qualifies for the safe harbor after the business presents evidence of its cybersecurity program.
Companies sometimes struggle to justify investing valuable resources in a cybersecurity program. Incentive-based legislation should be used to convince management that investing in a cybersecurity program will reap identifiable benefits in the future. Regulatory investigation safe harbors and potential litigation defenses are tangible returns for investing in a robust cybersecurity program and can help the company bottom line in the event of a costly breach.