Carrot or Stick? States Try Incentives to Increase Cybersecurity

Societies are only as cyber-secure as their weakest links, prompting state governments to ensure — even incentivize — organizations of all stripes are well defended. As they work to push businesses into better cyber practices, some states have been re-examining the tools available and embracing an approach focused on incentives — not regulation.

A panel at the upcoming RSA Conference will dive into several states’ efforts to entice businesses to implement certain cybersecurity strategies in exchange for some protection should they be sued over data breaches.

“It’s a promising model,” said Center for Internet Security (CIS) Senior Vice President and Chief Evangelist Tony Sager, who will participate in the panel. “This provides some lessons, both for other states, but also what could be done at the federal level.”


Ohio kicked off the movement in 2018, with a safe harbor law protecting businesses that made their best efforts to follow certain relevant, well-established cybersecurity frameworks, such as CIS’s Critical Security Controls. Connecticut and Utah issued similarly worded policies in 2021, and other states have considered following suit.

“This is a trend that’s been building up in a really good way,” Sager told Government Technology.

Sen. Joan Hartley, D-Conn., co-chair of the committee that sponsored Connecticut’s version of the law, told GovTech that officials wanted a way to prompt companies to realize cybersecurity is core to everyday business operations.

“We didn’t want to mandate that [businesses] had to have a cybersecurity program, but we wanted to coach them along,” Hartley said.

Sen. Bob Hackett, R-Ohio, who co-sponsored Ohio’s law, told GovTech the policy aims to both protect consumers’ data and reduce the chances of businesses being hit with frequent, unwarranted lawsuits.

“In court, the business could say, ‘Hey, you know, we basically went to the standards of our profession or our industry,’” Hackett explained. “It’ll help against some frivolous lawsuits.”

Hackett didn’t point to examples of frivolous lawsuits related to data breaches, but said that he’s seen trends in the past in which insurers become unwilling to serve industries that face high risks of lawsuits.

THE ASK

Ohio’s law protects companies that “create, maintain and comply with” written cybersecurity programs that use “administrative, technical and physical” methods to protect personal data. These programs also must “reasonably conform” to a cybersecurity framework that’s recognized by their industry.

Acceptable frameworks could include ones from the National Institute of Standards and Technology (NIST), FedRAMP and other well-established entities. Businesses also must follow any industry-specific data protection regulations — for example, HIPAA regulations if they handle health-care information.

The laws also give companies a timeline for refreshing their cybersecurity programs to keep up with updates to these frameworks. Ohio gives companies a year to get current, while Connecticut gives six months — a tighter timeframe that Hartley said was important given the rapid pace at which technology changes.

THE SAFE HARBOR INCENTIVE

An Ohio company that fulfills the law’s cybersecurity requirements but still falls victim to a data breach is then better able to defend itself in court. It gets specific protections against tort lawsuits, such as if plaintiffs want compensation for damages after a breach revealed personal or restricted information. The law grants companies an affirmative defense against tort suits alleging they are at fault for not adopting “reasonable information security controls” to prevent these breaches.

Connecticut’s law offers slightly different protection, after trial lawyers objected offering affirmative defense would have tied their hands too much and “tipped the scales unfairly,” Hartley said. Instead, the state settled on protecting firms only from punitive damages — fines intended to penalize misbehavior — while leaving them open to paying compensatory damages, which are fines intended to help the wronged party recover. Connecticut’s law also withholds protection in cases of gross negligence or “willful or wanton conduct.”

ACHIEVABLE CYBERSECURITY

Determining whether a company is taking sufficient efforts to become cyber-secure is tricky, in part because what counts as a responsible plan may vary depending on organizations’ particular resources and risk profiles.

Both Connecticut’s and Ohio’s laws reflect this, by stating that firms’ cybersecurity programs should consider the companies’ contexts. That includes their size and complexity; the kinds of activities they engage in; the sensitivity of the data they handle; and the resources they have available for reducing cyber risks.

Another challenge is that cybersecurity is a continual journey, not a permanently achievable state. Sager said organizations cannot be expected to ramp up their defenses all in one go and trying to do so could invite major operational disruptions or burdensome expenses.

But organizations still need to prove they’re making meaningful strides in a timely manner, including by planning out investments and steps.

“Part of the problem with the cyber business … [is] it’s not like, ‘Okay, I did all this stuff, and now I’m ‘reasonable’; I’m done.’ Even our recommendations — no one does them in a month, or even three months or six months,” Sager said. “Really, what the [Ohio] law is looking for is, ‘Do you have a planned program of improvement that is in alignment with these security frameworks?’”

Ohio’s law also says programs must “reasonably” follow recognized cybersecurity frameworks but doesn’t pin down how “reasonable” is defined — allowing for dispute and discussion over what is suitable given a business’ context.

Sager said CIS is currently talking with Ohio officials to recommend ways to assess what counts as an organization’s “reasonable” efforts to follow CIS controls.

One way for a company to prove it’s taken reasonable efforts might be if they documented their thinking as they mapped out their cybersecurity plans, including indicating why they did or didn’t adopt certain measures. CIS provides a Risk Assessment Method (CIS RAM) intended to help organizations think through which prevalent attack methods are likely to threaten them and which CIS controls would be most helpful to adopt, given these risks, their own financial limitations and any existing security or risk management methods they have that might already help tackle the issue.

DOES IT WORK?

Sager said the approach taken by these laws is promising, and that governments may have an easier time getting such incentive-focused policies passed than they would with regulations, which often face steep industry pushback.

But the impact of the laws is still emerging. Sager said it’s unclear how many companies are seeking to up their cybersecurity strategies in response to the policies.

“The jury is still out on this,” Sager said.

Hackett, too, said that he is unaware of Ohio’s law being tested in court since its passage several years ago. But that doesn’t mean the policy is without effect: it might be discouraging some parties from attempting to bring suit in the first place and may be giving businesses a greater sense of protection.

And Hartley said that the law — and process of crafting it — has been a way to turn companies’ attention to the necessity of cybersecurity.

“We wanted… to send a message to the industry that we recognize the importance,” she said.


https://www.govtech.com/security/carrot-or-stick-states-try-incentives-to-increase-cybersecurity