Cyber-attacks are an inevitability that every organization will face in the upcoming years. If found unprepared to deal with a potential data breach or security incident, organizations will face catastrophic consequences including financial repercussions, litigation, loss of business, and reputational damage. Any one of these consequences can sink a business into the ground within months. Focusing on the litigation aspect of cybersecurity, it is important that businesses take the steps to secure themselves and their data, while also protecting themselves from lawsuits in the event a breach occurs. This is where safe harbor laws come into effect.
What are Safe Harbor Laws?
Safe harbor laws have been passed in several states to help protect organizations from facing legal repercussions due to a security incident while also incentivizing these businesses to pursue greater security. These pieces of legislation protect business from litigation if they are found to have implemented a level of "reasonable cybersecurity" through following an approved security framework and having a written cybersecurity plan.
This means that if your business can prove they've implemented necessary security measures, then you are protected from facing privacy lawsuits as a result of a data breach.
Safe harbor laws have only been around for a couple of years with Ohio being the first to enact such legislation in 2018. Several other states have followed in Ohio's footsteps and implemented their own safe harbor laws with only minor changes. Here is a list of the states that have implemented safe harbor laws:
- Ohio: Data Protection Act (2018)
- Connecticut: Incentivizing the Adoption of Cybersecurity Standards (2021)
- Utah: Cybersecurity Affirmative Defense Act (2021)
- Tennessee: Information Protection Act (2023)
- Oklahoma: Hospital Cybersecurity Protection Act (2023)
- Iowa: Affirmative Defense for Entities Using Cybersecurity Programs (2023)
In order to meet the requirements of these safe harbor laws, your organization will have to implement an approved cybersecurity framework. These frameworks provide controls and guidelines to help protect against cyber threats and in some cases ensure compliance depending on the industry.
Several of the frameworks that are recognized by these safe harbor laws include: NIST CSF, NIST 800-171, The CIS Controls, FedRAMP, HIPAA, PCI DSS, and more.
What Framework Should You Use?
There are a number of recognized frameworks that these safe harbor laws use to quantify "reasonable cybersecurity". Some of them are industry specific (for example HIPAA), while others are broader and applicable to all businesses. Out of all of these, CorpInfoTech recommends The CIS Controls as the go to framework for maximum security coverage.
The CIS Controls are a prescriptive set of cybersecurity controls that address the most common security threats that businesses face today. The Controls are divided into 18 security domains, or "controls", that each contain a number of practical safeguards. These safeguards are then grouped into three "implementation groups" that are divided by "risk size". These controls are technology agnostic and are applicable to any organization regardless of size or industry.
CorpInfoTech is the first managed service provider (MSP) to be accredited under the CIS Controls, we've also implemented the controls into our own services since their inception in 2008. This means that our expertise in implementing the controls in both our own organization as well as our clients' is externally verified and spoken for by the Center for Internet Security (CIS). Our MSP offers IT and cybersecurity solutions that include security/risk assessments, firewall management (xDEFENSE), vulnerability management(v360), managed IT, managed compliance and more, all with the CIS Controls at their center.
To take advantage of the safe harbor laws in your state using the CIS Controls, contact CorpInfoTech today!