Toward a Global Cybersecurity Standard of Care? Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices

59 Pages Posted: 7 Jun 2014 Last revised: 15 Jul 2014

See all articles by Scott Shackelford

Scott Shackelford

Indiana University - Kelley School of Business - Department of Business Law; Harvard Kennedy School Belfer Center for Science & International Affairs; Center for Applied Cybersecurity Research; Stanford Center for Internet and Society; Stanford Law School

Andrew A. Proia

Brenton Martell

Indiana University Bloomington

Amanda Craig

Indiana University Maurer School of Law

Date Written: June 5, 2014

Abstract

Even though U.S. congressional and multilateral efforts aimed at enhancing cybersecurity have thus far largely failed in their aims, courts are using existing doctrines including negligence to hold companies accountable for cyber attacks. However, decisions have been largely haphazard due in part to confusion over what constitutes cybersecurity best practices. This Article analyzes the emerging cybersecurity duty of care, and examines the potential impact of the 2014 National Institute of Standards and Technology (NIST) cybersecurity framework on particularly on negligence law. Given that best practices are not yet well-defined in this space, the NIST framework has the potential to help define the standard for not only critical infrastructure firms, but the private sector writ large. There is some evidence this is already happening, such as in reference to an FCC/telecom release in November 2013: “The telecommunications industry and the Federal Communications Commission plan to use an emerging framework of cybersecurity standards to assess and prioritize best practices for the sector as it works to address evolving cyber threats...” The NIST framework has the potential to shift the cybersecurity landscape not only in the United States, but also potentially in other jurisdictions favoring a largely voluntary approach to enhancing cybersecurity such as the United Kingdom, the European Union, and India. For businesses active across jurisdictions, and depending on the uptake of the NIST framework by stakeholders, a global duty of cybersecurity care could emerge that would promote consistency and contribute to cyber peace even absent regulatory action.

Keywords: cybersecurity, NIST, critical infrastructure

Suggested Citation

Shackelford, Scott J. and Proia, Andrew and Martell, Brenton and Craig, Amanda, Toward a Global Cybersecurity Standard of Care? Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices (June 5, 2014). Texas International Law Journal, 2015; Indiana Legal Studies Research Paper No. 291. Available at SSRN: https://ssrn.com/abstract=2446631

Scott J. Shackelford (Contact Author)

Indiana University - Kelley School of Business - Department of Business Law ( email )

Bloomington, IN 47405
United States

Harvard Kennedy School Belfer Center for Science & International Affairs ( email )

79 JFK Street
Cambridge, MA 02138
United States

Center for Applied Cybersecurity Research ( email )

Wylie Hall 105
100 South Woodlawn
Bloomington, IN 47405
United States

Stanford Center for Internet and Society ( email )

Palo Alto, CA
United States

Stanford Law School ( email )

Stanford, CA 94305
United States

Brenton Martell

Indiana University Bloomington ( email )

100 South Indiana Ave.
Bloomington, IN 47405
United States

Amanda Craig

Indiana University Maurer School of Law ( email )

211 S. Indiana Avenue
Bloomington, IN 47405
United States

No contact information is available for Andrew Proia

Register to save articles to
your library

Register

Paper statistics

Downloads
818
rank
28,373
Abstract Views
3,357
PlumX Metrics
!

Under construction: SSRN citations will be offline until July when we will launch a brand new and improved citations service, check here for more details.

For more information