Pub. 16 2021-22 Issue 1

NEBANKERS.ORG 14 COUNSELOR’S CORNER — continued from page 13 bill. 9 Under prior HIPAA/HITECH laws, an organization could face fines, audits, or the imposition of remediation remedies for cyber breaches and determined and imposed by the Secretary for the Department of Health and Human Services (HHS). Often health care organizations would argue, to no avail, that they had implemented all the cybersecurity measures they could afford to protect their information and their network, but they still suffered a cyber attack. The reality is that large organizations have very capable cybersecurity staff, but, despite their efforts and skill in defending their network, the exploitation of a single zero-day vulnerability or a single phishing email may expose a significant amount of sensitive data. Under this new federal law, HHS may reduce fines, reduce imposed remedies or terminate an audit. The organization only need demonstrate that it had, for the prior 12 months, security practices in place that meet certain cybersecurity standards. These cybersecurity standards are defined as NIST, the Cyber Security Act of 2015, or other recognized cybersecurity programs developed by private industry. Implications for Banking The FFIEC established a framework for banking through the Cybersecurity Assessment Tool (“CSAT”). In the CSAT the FFIEC offers a baseline of declarative statements. These declaratives statements are then mapped to the FFIEC IT Examination Handbook and to the NIST standards. To date, none of the safe harbor laws directly recognize the CSAT as a framework, but, as an example, the Utah law allows the following: (ii) reasonably conforms to the current version of any of the following frameworks or publications, or any combination of the following frameworks or publications: (A) NIST special publication 800-171; (B) NIST special publications 800-53 and 800-53a; The mapping provided by the FFIEC in Cybersecurity Assessment Tool 10 provides a direct correlation between the CSAT and the NIST standards. This correlation can provide banks with a strong basis for claiming benefits of such safe harbor provisions. Robert Kardell, Attorney, Baird Holm LLP 1 ComputerWeekly.com, “Banks face daily cyber-attacks, many of which succeed in stealing data, research finds”, https://www.computerweekly.com/news/450417135/Banks-suffer- average-of-85-attempted-serious-cyber-attacks-a-year-and-one- third-are-successful, last visited April 29, 2021. 2 IBM and The Ponemon Institute, “2019 Cost of a Data Breach”, https://www.ibm.com/security/data-breach last visited on April 29, 2021. 3 Cybersecurity Affirmative Defense Act (HB80), Utah Code § 78B-4-702 4 Ohio Revised Code Section 1354, “Businesses Maintaining Recognized Cybersecurity Programs”. 5 Id at (A)(1) 6 Id at (C), and similar to Utah 78B-4-702 (4)(c) 7 Connecticut General Assembly, H.B. No. 6607, “AN ACT INCENTIVIZING THE ADOPTION OF CYBERSECURITY STANDARDS FOR BUSINESSES” 8 Id at (B) 9 H.R. 7898, Public Law 116-321, to amend 41 USC Sec. 17931 et seq., officially titled “To amend the Health Information Technology for Economic and Clinical Health Act to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes.” 10 https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_Map_ to_NIST_CSF_June_2015_PDF4.pdf, last visited on May 1, 2021. Conclusions State and federal legislatures are recognizing the need to protect and incentivize companies for good cybersecurity. They are providing these incentives through safe-harbor laws. These laws recognize that businesses of all sizes have become victims of cyber attacks even after implementing robust cybersecurity protocols. These laws both incentivize the adoption of cyber frameworks and provide litigation safe harbors. These laws are the newest trends in cybersecurity law and banks, and companies of all sizes can take advantage of the safe harbors by adopting and implementing nationally recognized frameworks. Such measures will protect companies from overly litigious clients and customers. Banks can, and should, include direct references to recognized NIST standards in their own policies to protect their organizations as more such laws are surely on the horizon. 