The Benefits of the NIST Cybersecurity Framework for the Private Sector

Burns & Levinson LLP
Contact

Organizations of all types are increasingly subject to data theft and loss, whether the asset is customer information, intellectual property, or sensitive company files. The federal government and, thus, its private contractors have long relied upon the National Institute for Standards and Technology (within the Commerce Department) to develop standards and guidance for information protection. One of the most important of these is the fairly recent Cybersecurity Framework, which helps provide structure and context to cybersecurity. Private-sector organizations should be motivated to implement the NIST CSF not only to enhance their cybersecurity, but also to lower their potential risk of legal liability.

While the NIST has been active for some time, the CSF arose from the Cybersecurity Enhancement Act of 2014, passed in December of that year. As part of the government’s effort to protect critical infrastructure, in light of increasingly frequent and severe attacks, the Cybersecurity Enhancement Act directed the NIST to “…on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure.” The “voluntary, consensus-based, industry-led” qualifiers meant that at least part of NIST’s marching orders were to develop cybersecurity standards that the private sector could, and hopefully would, adopt.

Nearly two years earlier, then-President Obama issued Executive Order 13636, kickstarting the process with mandates of:

  • a set of standards, methodologies, procedures, and processes that align policy, business, and technical approaches to address cyber risks;
  • a prioritized, flexible, repeatable, performance-based, and cost-effective approach to help owners and operators of critical infrastructure:
    • identify, assess, and manage cyber risk;
    • identify areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations; and
    • be consistent with voluntary international standards.

The private sector—whether for-profit or non-profit—benefits from an accepted set of standards for cybersecurity. Beyond the gains of benchmarking existing practices, organizations have the opportunity to leverage the CSF (or another recognized standard) to their defense against regulatory and class-action claims that their security was subpar. Fundamentally, there is no perfect security, and for any number of reasons, there will continue to be theft and loss of information. But if an organization has a solid argument that it has implemented, and maintains safeguards based on the CSF, there is a much-improved chance of more quickly dispatching litigation claims and allaying the concerns of regulators.

For firms already subject to a set of regulatory standards, it is important to recall that the NIST CSF:

  • Complements, and does not replace, an organization’s existing business or cybersecurity risk-management process and cybersecurity program.
  • Is voluntary and complements, rather than conflicts with, current regulatory authorities (for example, the HIPAA Security Rule, the NERC Critical Infrastructure Protection Cyber Standards, the FFIEC cybersecurity documents for financial institutions, and the more recent Cybersecurity Regulation from the New York State Department of Financial Services).
  • Leverages existing standards, guidance, and best practices, and is a good source of references (e.g., NIST, ISO, and COBIT).
  • Is designed to be inclusive of, and not inconsistent with, other standards and best practices.

As cyber attacks and data breaches increase, companies and other organizations will inevitably face lawsuits from clients and customers, as well as potential inquiries from regulators, such as the Federal Trade Commission. The FTC, as one example, has an impressive record of wins against companies for lax data security, but still has investigated and declined to enforce against many more. In the litigation context, courts will look to identify a standard of care by which those companies or organizations should have acted to prevent harm. While the NIST CSF is still relatively new, courts may well come to define it as the minimum legal standard of care by which a private-sector organization’s actions are judged.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Burns & Levinson LLP | Attorney Advertising

Written by:

Burns & Levinson LLP
Contact
more
less

Burns & Levinson LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.