Content area
Full Text
Abstract
Even though U.S. congressional and multilateral efforts aimed at enhancing cybersecurity have thus far largely failed in their aims, courts and regulators are using existing common law doctrines and statutory enactments to hold companies accountable for cyber attacks. However, such judicial and regulatory actions have often been haphazard, due in part to confusion over what constitute reasonable standards of cybersecurity care. This Article analyzes the emerging cybersecurity duty of care and examines the potential impact of the 2014 National Institute of Standards and Technology (NIST) Cybersecurity Framework on shaping reasonable standards of cybersecurity. Given that cybersecurity best practices are not yet well defined, the NIST Framework has the potential to shape standards not only for critical infrastructure firms but also for the private sector writ large. Indeed, the Federal Communications Commission (FCC) in November 2013 wrote that it plans "to use an emerging framework of cybersecurity standards to assess and prioritize best practices... to address evolving cyber threats" in the telecommunications industry. Moreover, the NIST Framework has the potential to shift the cybersecurity landscape internationally, especially in jurisdictions that largely favor a voluntary approach to enhancing cybersecurity, including the United Kingdom, India, and to a lesser extent, the European Union. The uptake of the NIST Framework beyond the United States could help to foster a global standard of cybersecurity care, promoting consistency, benefitting businesses active across jurisdictions, and contributing to cyber peace.
Summary
Introduction...............................................................................................................307
I. Review of Existing U.S. Law Shaping a Cybersecurity Duty of Care....................................................................................................................311
A. Determining a Standard of Cybersecurity Care in Negligence Liability 314
B. A Note on Leveraging Fiduciary Duties to Enhance Corporate Cybersecurity...............................................................................................318
C. U.S. Statutory Law and Regulatory Requirements for Critical Infrastructure Cybersecurity.......................................................................320
1. Financial Sector: Gramm-Leach-Bliley Act Safegaurd Rules........321
2. Chemical Sector: Chemical Facility Anti-terrorism Standards Regulation.............................................................................................322
3. Healthcare and Public Health Sector: Health Insurance Portability and Accountability Act's Security Rules........................323
4. Energy Sector: North American Electric Reliability Corporation Standard..........................................................................324
5. State Data Security Regulations.........................................................324
D. Summary......................................................................................................326
II. Introducing and Examining the NIST Cybersecurity Framework.......................................................................................................326
A. Executive Order 13636 and the Objectives of the NIST Framework......327
B. Breakdown of the NIST Cybersecurity Framework.................................329
1. Framework Core...................................................................................330
2. The Framework Implementation Tier...............................................333
3. The Framework Profile........................................................................334
C. Implementing the NIST Cybersecurity Framework.................................336
D. Framework Incentives and...