1 11 Table of Contents 13 28

Pub. 16 2021-22 Issue 1

NEBANKERS.ORG 12 Proactive Affirmative Defense Laws Protect Companies From Litigation COUNSELOR’S CORNER I N 2013 -2014, THE NATIONAL INSTITUTE OF STANDARDS AND Technology (NIST) adapted the widely used government standards of NIST 800-53 for the private sector by creating and publishing the Cyber Security Framework (CSF). The CSF provided a method for private companies to complete an assessment and adopt relevant portions of the NIST standards for their own use. Soon after, the Federal Financial Institutions Examinations Council (FFIEC) created the Cybersecurity Assessment Tool map NIST and CSF standard for banks. This framework helped banks implement cybersecurity to protect their assets and information. Until recently, the adoption of NIST, or other recognized standards, was a good defensive legal posture. But now, the adoption of such standards can be a proactive step in establishing a legal safe harbor from lawsuits. By promoting these new laws as a legal safe harbor, the laws become incentives to adopt recognized cybersecurity standards. Cyber attacks have become commonplace across all business lines including financial, health care, insurance, retail industry and general businesses. In 2020, the number of cyber attacks increased again due to COVID and the vulnerability of remote workers. For the banking industry, the threats and the costs of recovery are higher than all but health care. On average, banks face 85 serious attempts a year to penetrate their network, and approximately 36% of these attempts result in some data being stolen. 1 Banks also have the second-highest cost per record (second to health care) to recover from a breach. 2 Cyber attack victims not only endured the expense of recovery from a cyber breach, but they have also endured attacks from zealous plaintiff’s attorneys. As if banks are not paying enough money for cybersecurity, monitoring and recovery costs, the costs are even greater if they are forced to defend themselves in an ensuing class-action lawsuit. But there is a new trend among legislators to protect businesses from cybersecurity lawsuits. Several newly enacted laws provide safe harbors for companies who have written cybersecurity polices and have taken the necessary steps to protect their data. Utah became the second state to provide safe harbor protections, and the federal government has provided some protection as well. Robert Kardell , Attorney, Baird Holm LLP

RkJQdWJsaXNoZXIy MTIyNDg2OA==