A new trend in privacy and cybersecurity laws is the introduction of safe harbor clauses for aligning data protection controls to recognized data privacy and cybersecurity frameworks.
- OHIO HB376: In July 2021, Ohio introduced the Ohio Personal Privacy Act (OPPA) which states, “A business has an affirmative defense against allegations of violations of [regulatory enforcement or consumer lawsuits] if that business creates, maintains, and complies with a written privacy program that reasonably conforms to the National Institute of Standards and Technology Privacy framework entitled ‘A Tool for Improving Privacy through Enterprise Risk Management Version 1.0,’…” The NIST reference here is the NIST Privacy Framework.
- CONNECTICUT H.B. No. 6607: Also in March 2021, the Connecticut General Assembly agreed to hear a bill, “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses”, which echoes Ohio’s safe harbor law. The bill establishes a legal safe harbor for organizations that voluntarily adopt recognized cybersecurity best practices (NIST Framework or CIS controls) and implement a written security program.
- UTAH H.B. No. 0080: In early March 2021, Utah became the second state to adopt a cybersecurity safe harbor statute that similarly references written and recognized frameworks and standards. Under Utah’s recently passed Cyber Security Affirmative Defense Act, entities that create, maintain, and reasonably comply with a written cybersecurity program may use their compliance with their cybersecurity program as an affirmative defense to data breach claims brought under state law. The frameworks referenced include the National Institute for Standards and Technology (NIST) special publication 800-171, 800-53, and 800-53a; Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense; and International Organization for Standardization/International Electrotechnical Commission (ISO) 27000 Family- information security management systems.
- Federal HR 8998: In January 2021, a new federal law was signed that provides safe harbor to HIPAA covered entities and business associates from breach penalties and required audits if they implemented the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) for the prior 12 months.
Complying with a written data protection program that is aligned to one of the recognized data privacy or cybersecurity frameworks will pay dividends by reducing vulnerability to threats and negative publicity associated with the lack of data protection safeguards. That said, it is important to note that there is a distinct difference between complying with a written data protection program and establishing bona fide privacy compliance and security within your organization.
As an initial step in evaluating an organization’s existing privacy maturity, an organization should consider utilizing the NIST Privacy Framework which includes 100 data protection controls. The controls within the NIST Privacy Framework can then be mapped to requirements in existing and proposed privacy regulations including the GDPR, CCPA, HIPAA, LGPD, and other pending U.S. state laws. Such an approach, when implemented correctly, harmonizes the existing regulations while building a standard global data privacy compliance program that can be leveraged to meet future data protection compliance requirements