New Proposed Laws include Safe Harbor when Aligned with NIST Privacy Framework

A new trend in privacy and cybersecurity laws is the introduction of safe harbor clauses for aligning data protection controls to recognized data privacy and cybersecurity frameworks.

  • OHIO HB376: In July 2021, Ohio introduced the Ohio Personal Privacy Act (OPPA) which states, “A business has an affirmative defense against allegations of violations of [regulatory enforcement or consumer lawsuits] if that business creates, maintains, and complies with a written privacy program that reasonably conforms to the National Institute of Standards and Technology Privacy framework entitled ‘A Tool for Improving Privacy through Enterprise Risk Management Version 1.0,’…” The NIST reference here is the NIST Privacy Framework.
  • CONNECTICUT H.B. No. 6607: Also in March 2021, the Connecticut General Assembly agreed to hear a bill, “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses”, which echoes Ohio’s safe harbor law. The bill establishes a legal safe harbor for organizations that voluntarily adopt recognized cybersecurity best practices (NIST Framework or CIS controls) and implement a written security program.
  • UTAH H.B. No. 0080: In early March 2021, Utah became the second state to adopt a cybersecurity safe harbor statute that similarly references written and recognized frameworks and standards. Under Utah’s recently passed Cyber Security Affirmative Defense Act, entities that create, maintain, and reasonably comply with a written cybersecurity program may use their compliance with their cybersecurity program as an affirmative defense to data breach claims brought under state law. The frameworks referenced include the National Institute for Standards and Technology (NIST) special publication 800-171, 800-53, and 800-53a; Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense; and International Organization for Standardization/International Electrotechnical Commission (ISO) 27000 Family- information security management systems.
  • Federal HR 8998: In January 2021, a new federal law was signed that provides safe harbor to HIPAA covered entities and business associates from breach penalties and required audits if they implemented the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) for the prior 12 months.

Complying with a written data protection program that is aligned to one of the recognized data privacy or cybersecurity frameworks will pay dividends by reducing vulnerability to threats and negative publicity associated with the lack of data protection safeguards. That said, it is important to note that there is a distinct difference between complying with a written data protection program and establishing bona fide privacy compliance and security within your organization.

As an initial step in evaluating an organization’s existing privacy maturity, an organization should consider utilizing the NIST Privacy Framework which includes 100 data protection controls. The controls within the NIST Privacy Framework can then be mapped to requirements in existing and proposed privacy regulations including the GDPR, CCPA, HIPAA, LGPD, and other pending U.S. state laws. Such an approach, when implemented correctly, harmonizes the existing regulations while building a standard global data privacy compliance program that can be leveraged to meet future data protection compliance requirements

Written by:

Ankura Cybersecurity & Data Privacy
Contact
more
less

Ankura Cybersecurity & Data Privacy on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.