Despite more than two decades of efforts, computer and data storage breaches continue unabated. Washington State, for example, released annual statistics showing 280 data breaches in 2020 (including one breach that impacted more than a million customers) in Washington State alone. The report also detailed a large uptick in cyberattacks, and ransomware incidents.

As a result of seemingly never-ceasing efforts by cybercriminals, cybersecurity protocols continue to evolve. For example, the National Institute of Standards and Technology (“NIST”) recently announced a new framework for cybersecurity and ransomware risk management. Nearly every state has a statute or regulations that require government agencies and private businesses to take reasonable state-of-the-art steps to secure data collected and stored. The NIST standards are one of the benchmarks used when evaluating whether a government agency or private company has satisfied current state-of-the-art standards with respect to cybersecurity. For example, the US Department of Defense requires its private contractors to meet NIST standards when complying with cybersecurity requirements.

The new NIST framework is an effort to simplify how companies and agencies should “frame” cybersecurity issues because the actual protocols are very complex. On the one hand, organizations need a “high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.” But, at the same time, an organization needs a simplified framework with respect to how to understand what it is “seeing” from the “high-level, strategic view.” In this way, an organization can better assess its mitigation and recovery readiness and gauge and manage its risks. The Framework provides a simple-to-understand five-word list of core cybersecurity objectives: identify, protect, detect, respond and recover.

On a practical level, NIST provides a long list of steps that “fit” into each part of the overall framework. A few examples include:

• Audit and identify all systems and connected devices — identify
• Differentiate data as high, medium and low risk — identify
• Disallow personally-owned devices — identify and protect
• Disallow personal use of organization-owned systems — identify and protect
• Prioritize protection of high risk data such as data that allows person identification — identify and protect
• Segment networks and firewall — protect
• Allow only specific user activity and installation of apps — protect
• Use multi-factor access protocols and other protections — protect
• Assign, monitor and manage authorization and access credentials — protect and detect
• Never stop using antivirus and other security software — protect, detect, response and recover
• Update and patch constantly — same
• Monitor continuously (both passively and actively) — detect, respond and recover
• Actively block access to malicious activity — respond
• Constantly train employees at the appropriate level — detect, response and recover
• And more

Some of these evolving security protocols are already being put in place. For example, the Department of Defense recently modified its cybersecurity certification program for DOD contractors. Contractors have already been categorized into three levels of risk based on the data they collect and to which they have access. For the lowest level risk level, the DOD is making it easier for the contractors to obtain and maintain their certifications. If you have legal questions about data security, how to respond to data breaches and ransomware attacks or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100.

State Data Security Laws: What Businesses Must Know

While NIST provides voluntary guidance, state data security laws impose mandatory requirements. Virtually every state in the country now has a data breach notification statute requiring businesses to notify affected individuals — and often state regulators — within specified timeframes when a breach of personal information occurs. These notification windows have tightened considerably over time. Several states, including Florida, Colorado, and Montana, now require notification within 30 days of discovery. Some breach notification laws also require notification to the Federal Trade Commission or sector-specific federal regulators like the Department of Health and Human Services for healthcare data.

Beyond breach notification, states increasingly mandate affirmative data security measures. California’s CCPA and CPRA require businesses to implement reasonable security procedures and practices appropriate to the nature of the personal information they collect. Massachusetts regulation 201 CMR 17.00 requires businesses that own or license personal information of Massachusetts residents to develop, implement, and maintain a comprehensive written information security program (“WISP”). New York’s SHIELD Act imposes a similar requirement on businesses that own private information of New York residents.

The Rise of Ransomware: Legal Obligations and Risks

Ransomware attacks — where cybercriminals encrypt a business’s data and demand payment for the decryption key — have become one of the most significant cybersecurity threats facing businesses of all sizes. These attacks create complex legal issues beyond data breach notification obligations:

• Sanctions risk from ransom payments — The Office of Foreign Assets Control (“OFAC”) has issued guidance warning that paying ransom to certain threat actors may violate US sanctions law. Businesses must conduct sanctions screening before making any ransomware payment. Engaging a cybersecurity attorney before paying is critical.
• Cyber insurance coverage disputes — Many businesses carry cyber insurance policies, but coverage disputes are common. Insurers have denied ransomware claims under “act of war” exclusions when attacks are attributable to nation-state actors. Policy terms should be reviewed carefully with counsel before a breach occurs, not after.
• Regulatory investigations following ransomware incidents — If ransomware results in exfiltration of personal data, the business may face regulatory investigation in addition to the operational disruption. The FTC, state attorneys general, and sector regulators have all brought enforcement actions following ransomware incidents where the underlying security measures were deemed inadequate.

NIST CSF 2.0 and the Governance Function

NIST released version 2.0 of its Cybersecurity Framework (“CSF 2.0”) in February 2024. The most significant change was the addition of a sixth core function: Govern. The Govern function recognizes that cybersecurity risk management is not purely a technical exercise but a business and governance responsibility. It covers organizational context, risk management strategy, roles and responsibilities, cybersecurity policies, oversight, and supply chain risk management.

The practical implication for businesses is that cybersecurity is now explicitly a board-level and executive-level responsibility, not just an IT department concern. The Securities and Exchange Commission (“SEC”) has reinforced this with its cybersecurity disclosure rules, which require public companies to disclose material cybersecurity incidents within four business days and to provide annual disclosures about their cybersecurity risk management, strategy, and governance practices.

Building a Legally Defensible Security Program

A legally defensible data security program is one that, if scrutinized by a regulator or plaintiff’s attorney following a breach, demonstrates that the organization implemented and maintained reasonable safeguards proportionate to the risk. Key elements include:

• A written information security policy and program (WISP) tailored to the organization’s size, industry, and data sensitivity
• Documented risk assessments conducted at regular intervals
• Employee training programs with documented completion records
• Vendor and third-party risk management, including contractual data security requirements in business associate agreements and data processing agreements
• An incident response plan that has been tested through tabletop exercises
• Documented remediation of identified vulnerabilities

When a breach does occur — and for most organizations, it is a matter of when, not if — having this documentation in place is essential for limiting regulatory liability and defending against civil litigation. Contact the data security lawyers at Revision Legal at 231-714-0100 to review your current security posture and compliance obligations.