Conference Of Western Attorneys General Releases Cybersecurity Safe Harbor Policy Working Paper – On September 6, 2018, the Conference of Western Attorneys General (“CWAG”), a bipartisan group of attorneys general from a majority of U.S. states, issued a Cybersecurity Safe Harbor Policy Working Paper (the “Paper”) analyzing the policy considerations behind cybersecurity safe harbors. The Paper, available here, is a product of the CWAG Cybersecurity Working Group, which held several policy discussions with stakeholders including attorneys general, regulators, and private sector representatives on cybersecurity topics. The CWAG concludes in the Paper that the viability of safe harbor provisions in state legislation should be evaluated in detail, noting that “[n]obody can secure their data and systems from 100% of attacks, but all can take actions that reasonably comport with the accepted industry security standards and thereby substantially lessen the likelihood and effect of a successful attack.”
The CWAG recommends increased dialogue on legal safe harbor provisions, which provide a civil defense to entities that take reasonable measures to protect customer data in the event of litigation resulting from a breach (generally private class action lawsuits). The Paper states that safe harbors can help align business and customer interests, recognizing that “businesses want comfort that investments in cybersecurity will help mitigate legal exposure if a security event occurs, and consumers want to patronize companies that are making appropriate investments in cybersecurity so that their own economic interests are protected.” The CWAG points out that the opposite perspective—namely, that investments in significant cyber defense resources will offer no advantage to a company in the event of a breach because it will be punished regardless—should not be encouraged. Importantly, establishing a safe harbor “would incentivize companies to voluntarily report breach events as early as possible because the companies—at least those that have taken appropriate steps to align themselves with the provisions of the ‘safe harbor’—would not subject themselves to legal liability by merely disclosing the breach event.”
The CWAG recognizes that the actual implementation of a safe harbor provision is more difficult than acknowledging that it is a good policy idea. The Paper notes that, at a high level, the CWAG agrees that “if a business voluntarily makes reasonable and timely investments in its cybersecurity, and that same business is victimized by a third party breach, it should have the opportunity to use its investment affirmatively to mitigate liability.”
The Paper describes potential differences in the details, such as the appropriate standard (e.g., reasonableness) to apply and the required security framework. The CWAG concludes that there is consensus that the safe harbor is an “important concept to pursue” but there “remains a divide on how to do it.” For instance, while the National Institute of Standards and Technology Cybersecurity Framework is well known and understood, it may not be appropriate for all businesses. The Paper notes that industry specific standards which account for data type (e.g., health information) could be a workable approach as long as “the industry group is clearly defined so business and customers can understand in which group they belong, and that each group is clearly correlated to an appropriate framework.”
With respect to government enforcement actions, the Paper explains that the concept of a safe harbor affirmative defense typically is reserved for private litigation, not for entities subject to a government investigation. However, the CWAG points out that the safe harbor concept could be used to shift the burden of proof from one party to another in enforcement litigation by establishing a “presumption of blamelessness” for a company that has made significant investments in cybersecurity controls. In that context, a company with a strong cybersecurity program that nonetheless has a breach could use the “presumption of blamelessness” in an enforcement action if it can persuade a court that the presumption is warranted because of the company’s robust program. The Paper notes that “[i]f such a motion is successful, the court could require the regulator to meet a new, higher burden of proof to hold the company responsible.”
At bottom, the CWAG’s consensus regarding the need to examine the viability of cybersecurity safe harbor provisions underscores the importance of state legislation that accounts for the modern reality that data breaches are not a matter of if, but when, and further highlights the importance of incentivizing companies to invest in strong cybersecurity programs.
Reporter, Kyle Sheahen, New York, +1 212 556 2234, firstname.lastname@example.org
FDA Releases Medical Device Cybersecurity “Playbook” And Will Update Device Cybersecurity Guidance – On October 1, 2018, in response to concerns about the risks of cyberattacks on patient medical devices, the U.S. Food and Drug Administration (“FDA”) Commissioner Scott Gottlieb, M.D. announced the release of a cybersecurity “playbook” to assist health care delivery organizations, as well as the signing of two memoranda of understanding (“MOUs”) to promote information sharing, preparedness, and response around cybersecurity risks. While the FDA is not aware of any report that a cyberhacker compromised a medical device in use by a patient, and while medical devices may not be the intended target of hackers, Dr. Gottlieb recognized that “if these products are connected to a hospital network, such as radiologic imaging equipment, they may be impacted.”
The “Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook,” prepared by the MITRE Corporation in coordination with the FDA, outlines “target capabilities” for healthcare delivery organizations in cybersecurity preparedness and response. Although not all organizations will be able to implement all of recommendations as a result of operational constraints, the “playbook” identifies key stakeholders, processes, and questions to consider in developing a baseline cybersecurity framework. Additionally, Dr. Gottlieb reported that FDA staff have developed an internal agency playbook to help respond to cybersecurity attacks.
The two signed MOUs will create information sharing analysis organizations (“ISAOs”) of stakeholder groups to share, analyze, and distribute about medical device cybersecurity vulnerabilities and emerging threats. Dr. Gottlieb noted that “the FDA believes that manufacturers that participate in ISAOs signal they’re being proactive in addressing cybersecurity.”
Dr. Gottlieb also announced that the FDA will soon publish a “significant update” to its premarket guidance for medical device cybersecurity, last updated in 2014. Dr. Gottlieb previewed that the new draft guidance will cite the value of providing medical device customers and users a “cybersecurity bill of materials,” described as “a list of commercial and/or off-the-shelf software and hardware components of a device that could be susceptible to vulnerabilities.” The FDA will review comments from stakeholders on the updated guidance and will continue to update its regulations “to proactively address medical device cybersecurity.”
Dr. Gottlieb’s statement can be found here.
The cybersecurity “playbook” can be found here.
Reporter, Allison Kassir, Washington, D.C., +1 202 626 5600, email@example.com