After a year of public-private collaboration and considerable anticipation, the National Institute for Standards and Technology’s (NIST) cybersecurity framework for critical infrastructure has arrived. The interest in the framework has only grown after several high profile data breaches in late 2013 have cast an unrelenting spotlight on cybersecurity issues. The framework presents businesses with important questions about whether and how they should use it, and—as cybersecurity-related class actions multiply—how the plaintiffs’ bar intends to invoke the framework.
After attempts at more comprehensive legislation faltered, President Obama issued an executive order (EO 13636) requiring development of the framework. By design, the framework is both voluntary and limited in its application. Most significantly, it only applies to critical infrastructure. In addition, it contemplates the creation of incentives to support its adoption and possible follow-on regulatory “actions to mitigate cyber risks,” and leaves unresolved the ongoing debate over information sharing and attendant liability protections.
But while the framework is voluntary, it likely will be influential. The Administration, for example, has said that in developing the framework it intended to “leverage” “common cybersecurity practices” to improve the cybersecurity of critical infrastructure. For critical infrastructure operators, multiple questions arise, including (1) will regulators rely on the framework; (2) how, if at all, will insurance markets account for the framework; and (3) will plaintiffs’ attorneys invoke the framework to exert leverage of their own via class action litigation.
Even before the framework’s introduction, many observers recognized the possibility that—in light of the SEC’s increasing emphasis on the appropriate disclosure of cyber risks— the plaintiff’s bar would press securities litigation alleging material omissions or misrepresentations about such risks. Recognizing that such lawsuits may be inevitable, businesses that operate critical infrastructure surely will want to take account of the framework both in assessing their cybersecurity posture and in disclosing the existence of cyber risks. In particular, companies should consider whether to incorporate elements of the framework (e.g., a “Framework Profile”) into their public disclosures.
Another significant issue is that, because the framework arguably may facilitate board-level awareness and management of cyber risk, plaintiffs may be more likely to bring actions against officers and directors for breach of fiduciary duties in connection with cyber incidents. Although the success of such actions remains to be seen, the release of the framework underscores the importance of cybersecurity to corporate boards and top executives.
At the same time, in our view, businesses should be reassured by the fact that nothing in the framework suggests that a company’s decision not to adopt an individual element—what it calls an “informative reference”—should form the basis of a future lawsuit, whether for data breach or other harm. Indeed, the framework specifically states that it is not a checklist and that it is not “one-size fits all.” Transforming an “informative reference” from the framework into a stand-alone requirement is not a mandate that the framework contemplates or supports. Attaching liability to individual “informative references” would create static cybersecurity checklists that the framework specifically rejects; indeed, it would frustrate the continued development of appropriate cybersecurity protections that the framework itself is aimed to encourage. Companies should therefore be prepared to defend against attempts to elevate the framework into liability standards, which would frustrate the Framework’s goal of providing a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to managing cybersecurity risk.
The stakes of cyber attacks are high. So too are the stakes of litigation that are likely to ensue. The NIST Framework doubtless will be cited in that litigation, but, properly understood, it should not form the basis of a claim. To that end, we will be watching closely to see whether the plaintiff’s bar seeks to use the framework in ways that would defeat its stated purposes.