Co-authored by Andrew Proia
Last week, the much anticipated (at least in the, let's face it, relatively small and quirky circles that pay attention to this stuff) NETmundial meeting on the future of Internet governance wrapped up in Brazil. The conference helped to entrench a growing consensus surrounding the multi-stakeholder model of Internet governance, along with calling for a "secure, stable, resilient, [and] reliable" cyberspace. One of the recent paths toward enhancing cybersecurity, at least in the United States, has been the 2014 NIST Cybersecurity Framework. The Framework harmonizes consensus standard and industry best practices to provide, its proponents argue, a flexible and cost-effective approach to enhancing cybersecurity that assists owners and operators of critical infrastructure in assessing and managing cyber risk. But even though it's voluntary, ignoring it may prove costly.
Reactions to the NIST Framework have been mixed. From its inception, the Framework has been developed with an aim toward creating a robust method of addressing critical infrastructure cybersecurity concerns without enacting binding (and potentially cumbersome) regulatory requirements. Proponents suggest that market-based incentives and support through the Department of Homeland Security's Critical Infrastructure Cyber Community Voluntary Program (referred to as the "C-Cubed" Program) will help encourage organizations to adopt the Cybersecurity Framework. However, while market-driven incentives may play a role, it's likely that avoiding liability may be a primary driver in firm decision-making. Negligence lawsuits in particular could use the Framework to shape reasonable standards of cybersecurity.
Negligence, put simply, is the "failure to behave with the level of care that someone of ordinary prudence would have exercised under the same circumstances." Negligence liability and data security have had a very checkered past. Article III standing requirements and the "economic loss doctrine" have often allowed courts to avoid articulating two crucial elements in a negligence security case: (1) whether a defendant owed a duty to provide reasonable level of cybersecurity care, (2) and whether that duty of care was breached. However, the potential for lax security measures in critical infrastructure organizations to hurt the public health, safety, or welfare could overcome some of these hurdles. Additionally, recent cases have signaled a shift in how courts approach these cases, causing some to suggest that we stand at "the dawn of a new era of cybersecurity tort liability."
As courts begin to shape a cybersecurity duty of care in this "new era," the NIST Framework could be used to determine whether a company's duty has been successfully met. Some approaches to determining what constitutes a reasonable standard of care rely on a "risk/utility formula" that weigh the probability that an injury will occur and the gravity of the resulting injury against the burden of a company to implement adequate precaution. The Cybersecurity Framework could provide a new basis on which courts utilize the formula, particularly in determining how "adequate" the Framework might have been to prevent alleged harms and the "burden" on an organization to implement the Framework. A more common approach, however, has been to rely on "industry standard" practices as the reasonable threshold. For instance, the Southern District of California suggested in the ongoing case In re Sony Gaming Networks and Customer Data Security Breach Litigation, that Sony's failure to employ industry cryptology standards during its massive 2011 data breach was enough for plaintiffs to allege that Sony breached its duty to employ reasonable data security measures. Again, with the goal of the Administration and the C-Cubed Voluntary Program to increase adoption of the Framework, we could see a movement toward consensus industry standards.
Some have suggested that failure to implement the NIST Framework could create a "presumption of negligence," should an incident occur. That's definitely a possibility. But the Framework could also act as a form of security "safe harbor" for companies. Companies may look to the Framework for its use as a liability shield, arguing that, despite the occurrence of cyber attacks resulting in harm, an organization's utilization of the Framework translated into reasonable security measures under the circumstances and could therefore remove liability. In other words, the NIST Framework can be thought of as both a sword and a shield. Either way, it's worth paying attention to in the United States and beyond.