Communications Litigation Today was a Warren News publication.
‘Sword and a Shield’

NIST Cybersecurity Framework Remains Potential Standard of Care, Lawyers Say

Industry believes use of the Cybersecurity Framework will remain voluntary for the foreseeable future, but industry lawyers and stakeholders told us there’s a strong likelihood the framework will become a de facto standard of care that could become an issue in future litigation. A standard of care is defined as the amount of attention a reasonable individual or entity would exercise in a given situation -- in this case, it would be the level of cybersecurity risk mitigation an entity should reasonably exercise. Stakeholders debated that scenario during the National Institute of Standards and Technology’s (NIST) yearlong development of the framework as part of President Barack Obama’s cybersecurity executive order (CD July 19 p8; Sept 11 p11). A de facto standard may have benefits along with widely perceived negative impacts, industry lawyers told us.

The Version 1.0 framework NIST released last month (CD Feb 13 p5) remains “very skeletal,” but as the document becomes more articulated, “there’s going to be a very robust argument that it’s a minimum standard of care,” said Shlansky Law Group Managing Partner David Shlansky. His practice includes work with major companies and federal agencies on cybersecurity issues. In the absence of a national law governing cybersecurity risk management, creative class-action plaintiffs will argue the NIST framework is a de facto standard for cybersecurity risk management, said K&L Gates’ Roberta Anderson, whose practice focuses on commercial litigation and issues related to cybersecurity and data privacy.

Possible litigation may include cases involving data breaches like the recent Target incident, Anderson said. “I certainly wouldn’t be surprised if they looked to NIST by way of a comparison and to show negligence or fault.” The framework is probably already “articulate enough that there will be an opportunity for someone to make hay out of not following a specific aspect of the framework in a data breach case, like what we've seen at Target or Neiman Marcus or whomever,” Shlansky said. A Target spokeswoman declined to comment.

Government may use the framework as a standard for doing business with federal contractors, Shlansky said. “There will probably be some Federal Acquisition Regulations analogues,” he said. “There are already some FARs that imply various standards of care, but they're not thoroughly articulated. It’s actually conceivable that you could be a contractor for the federal government, be subject to being attacked and you wouldn’t be in violation. You'd have some very bad publicity but you wouldn’t necessarily be in violation of anything.”

The NIST framework is “really the first time that someone’s tried to build up a body of thought that articulates something other than using basic principles of negligence, which is inherently amorphous,” Shlansky said. “That’s such an open playing field that Target probably thought they were abiding by a standard of care and in hindsight these things are easier to point out. Arguably, whether it’s styled as a violation of privacy or as negligence, on those types of things you might have a duty to a third party under the common law."

'Sword and a Shield'

Many people want minimum standards of care “because it can be a sword and a shield,” Shlansky said. “If somebody just blows it, it will be an easy argument for a claimant or someone in a commercial context to say ‘your work was deficient, you didn’t abide by this minimal standard of care.’ Conversely, it could have an immunizing effect if you abide by it but someone is still clever enough to infiltrate your apparatus.” A de facto standard would also prevent people from wasting time and resources on ineffective solutions, Shlansky said. “A lot of the procedures that our clients do are almost shadow dances, where they're seeing or hearing what other people are doing. Rather than knowing whether those things are substantive or sensible, they're doing them out of an abundance of caution."

Companies may actually benefit from facing a de facto standard because they could get some shielding from an industry certification on cybersecurity, Shlansky said. It could take three or four years for a cybersecurity case to go through U.S. courts, and “the common sense instincts of a jury are going to be informed by what’s the then-current belief,” he said. “If there’s this ever-evolving hindsight practice, it’s easy to get caught out on that.” That’s likely to lead to growth in industry certification business, Shlansky said. “There will probably be money to be made in providing professional certification of abidance by a more articulated, more thorough gold or silver standard of conduct."

It’s fair for critical infrastructure entities to be concerned about the framework’s becoming a de facto standard, but the framework is fundamentally “only a series of best practices and points to existing standards that have existed for some time,” said Norma Krayem, a senior policy adviser at Patton Boggs who co-chairs the firm’s homeland security practice group. All critical infrastructure entities should pay attention to the NIST framework, “comparing it to what their current cybersecurity risk management efforts are and use it as it’s designed to be used -- to move to a more heightened state of cybersecurity,” said K&L Gates’ Anderson.

NIST designed the framework to provide a common language for communication on cybersecurity for an entity’s executives and its information technology staff -- an area where there’s typically been a major disconnect, Anderson said. She noted that a Ponemon Institute report released in January found that only 20 percent of surveyed IT security professionals indicated they communicate frequently with executives about potential cyberattacks or threats. The Ponemon report used a survey of 674 U.S. and U.K.-based IT security professionals (http://bit.ly/1kCRBP9). “Management cannot respond appropriately and put the right protocols in place if they don’t know what the threats are,” Anderson said.

Communications and IT Effect

The communications and IT sectors are considered part of the critical infrastructure the framework targets, so by definition they are “likely to be more impacted than an industry that does not fall within the category of critical infrastructure,” Anderson said. However, those two sectors may have a special burden because “the other critical infrastructure sectors rely on them for everything that they do,” Patton Boggs’ Krayem said. The communications sector, for instance, “is a foundation for innovation in many things you see in the financial services sector, but the struggle then is that there are core interdependencies between these sectors,” she said. “The framework attempts to make it clear that no matter who you are, you are responsible for your portion of the supply chain."

The Information Technology Industry Council’s intent is for the framework “to not become a standard of care,” but that hasn’t been a concern recently, said Danielle Kriz, ITI director-global cybersecurity policy. “The idea is that it’s not a one-size-fits-all approach,” she said. “You can do with it what makes sense for your organization. Our companies are going to do what they think is right for their business."

The framework’s scalability “cuts both ways” for smaller companies, Shlansky said. “It’s a treadmill for small companies because it’s very difficult for them to keep up with the latest and greatest,” he said. “The converse is also true, because I think there is an inherent lack of sympathy for big corporations. If there’s a marquee national name, they're going to get hit harder by higher expectations if they're in front of a regulator or a jury."

Smaller companies also have a bigger incentive to work with the Department of Homeland Security on framework implementation, Krayem said. DHS’s Critical Infrastructure Cyber Community program has “a number of tools and people who can come and help you evaluate what your level of risk is,” she said. “From that point, you'll have a better baseline to evaluate what you need to spend.” Larger entities in the communications sector and other sectors should also be “working within their sector and supply chain to provide assistance,” she said. “There are certainly lessons learned by the larger carriers on risk factors, a much greater awareness about the types of cyber attackers and what that behavior looks like. There are hosts of companies that see things -- and understand what they actually mean -- more than what a smaller carrier would."

All companies should be doing a cybersecurity assessment regardless of size, Anderson said. “Having a proper, thorough assessment and critically analyzing where you are vis-a-vis the NIST framework has to be beneficial from a cost-benefit analysis standpoint,” she said. “It has to be, given the potential liability that arises out of a failure of cybersecurity efforts and poor risk management.”