Cybersecurity Framework “Best Practices” Released: What You Need to Know

Legal Alerts

2.18.14

After a year of collaboration between the National Institute of Standards and Technology (NIST) and the private sector, the White House and NIST released the first version of the Framework, pursuant to Executive Order 13636. NIST’s press release and Framework 1.0 are available at the following link: http://www.nist.gov/itl/csd/launch-cybersecurity-framework-021214.cfm.

What you need to know

1) Scope: The Framework provides cyber-best practices and is aimed primarily at critical infrastructure sectors, including communications, critical manufacturing, health care, energy, information technology, and finance.[1] Use of the Framework is voluntary. However, recent retail breaches have caused Congress to introduce bills that would require organizations to adopt safeguards or face civil penalties—similar to the compliance model that is in place for financial institutions.

2) Privacy: Since the last draft version, NIST removed the privacy appendix from the Framework and instead included privacy considerations in the “How to Use the Framework” section. This change reduces the risk of privacy obligations being imposed on organizations that utilize the Framework.

3) Duty of Care: Many are concerned that the Framework will impose a de facto duty of care on organizations that adopt the Framework. This risk should be evaluated on a case-by-case basis. Know what is in the Framework and think about whether it could pose a legal risk to your organization. If your organization already has Framework measures in place, or could easily implement them, you may be able to successfully defend against a claim by using the Framework to demonstrate that a duty of care has been met. In that regard, the Framework may pose minimal risk and a possible litigation value.

4) Adoption: The specifics of what “adoption” looks like are still being developed. Adoption will likely be sector-driven or coupled with an assortment of legislative incentives. Industry sectors, such as health care and energy, may require stricter standards once adoption is finalized. Adoption incentives are also being developed. The Department of Homeland Security is leading the incentives program through the Voluntary Program Working Group and has set up the C3 Voluntary Program to engage potential adopters.

Dykema is involved in the above-described initiatives and is monitoring developments. Should you want additional information, please contact the authors of this alert—Jonathan Feld at (202) 906-8716 or (312) 627-5680 or jfeld@dykema.com and Susan Asam at (313) 568-5332 or sasam@dykema.com—or any of the Dykema attorneys listed to the left.


[1] See DHS’ designated critical infrastructure designations, at https://www.dhs.gov/critical-infrastructure-sectors.

As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. © 2014 Dykema Gossett PLLC.