On September 6, 2018, the Conference of Western Attorneys General (“CWAG”), a bipartisan group of attorneys general from a majority of U.S. states, issued a Cybersecurity Safe Harbor Policy Working Paper (the “Paper”) analyzing the policy considerations behind cybersecurity safe harbors. The Paper, available here, is a product of the CWAG Cybersecurity Working Group, which held several policy discussions with stakeholders including attorneys general, regulators, and private sector representatives on cybersecurity topics. The CWAG concludes in the Paper that the viability of safe harbor provisions in state legislation should be evaluated in detail, noting that “[n]obody can secure their data and systems from 100% of attacks, but all can take actions that reasonably comport with the accepted industry security standards and thereby substantially lessen the likelihood and effect of a successful attack.”
The CWAG recommends increased dialogue on legal safe harbor provisions, which provide a civil defense to entities that take reasonable measures to protect customer data in the event of litigation resulting from a breach (generally private class action lawsuits). The Paper states that safe harbors can help align business and customer interests, recognizing that “businesses want comfort that investments in cybersecurity will help mitigate legal exposure if a security event occurs, and consumers want to patronize companies that are making appropriate investments in cybersecurity so that their own economic interests are protected.” The CWAG points out that the opposite perspective—namely, that investments in significant cyber defense resources will offer no advantage to a company in the event of a breach because it will be punished regardless—should not be encouraged. Importantly, establishing a safe harbor “would incentivize companies to voluntarily report breach events as early as possible because the companies—at least those that have taken appropriate steps to align themselves with the provisions of the ‘safe harbor’—would not subject themselves to legal liability by merely disclosing the breach event.”
The CWAG recognizes that the actual implementation of a safe harbor provision is more difficult than acknowledging that it is a good policy idea. The Paper notes that, at a high level, the CWAG agrees that “if a business voluntarily makes reasonable and timely investments in its cybersecurity, and that same business is victimized by a third party breach, it should have the opportunity to use its investment affirmatively to mitigate liability.”
The Paper describes potential differences in the details, such as the appropriate standard (e.g., reasonableness) to apply and the required security framework. The CWAG concludes that there is consensus that the safe harbor is an “important concept to pursue” but there “remains a divide on how to do it.” For instance, while the National Institute of Standards and Technology Cybersecurity Framework is well known and understood, it may not be appropriate for all businesses. The Paper notes that industry specific standards which account for data type (e.g., health information) could be a workable approach as long as “the industry group is clearly defined so business and customers can understand in which group they belong, and that each group is clearly correlated to an appropriate framework.”
With respect to government enforcement actions, the Paper explains that the concept of a safe harbor affirmative defense typically is reserved for private litigation, not for entities subject to a government investigation. However, the CWAG points out that the safe harbor concept could be used to shift the burden of proof from one party to another in enforcement litigation by establishing a “presumption of blamelessness” for a company that has made significant investments in cybersecurity controls. In that context, a company with a strong cybersecurity program that nonetheless has a breach could use the “presumption of blamelessness” in an enforcement action if it can persuade a court that the presumption is warranted because of the company’s robust program. The Paper notes that “[i]f such a motion is successful, the court could require the regulator to meet a new, higher burden of proof to hold the company responsible.”
At bottom, the CWAG’s consensus regarding the need to examine the viability of cybersecurity safe harbor provisions underscores the importance of state legislation that accounts for the modern reality that data breaches are not a matter of if, but when, and further highlights the importance of incentivizing companies to invest in strong cybersecurity programs.
