Toward a Global Cybersecurity Standard of Care? Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices
59 Pages Posted: 7 Jun 2014 Last revised: 15 Jul 2014
Date Written: June 5, 2014
Abstract
Even though U.S. congressional and multilateral efforts aimed at enhancing cybersecurity have thus far largely failed in their aims, courts are using existing doctrines including negligence to hold companies accountable for cyber attacks. However, decisions have been largely haphazard due in part to confusion over what constitutes cybersecurity best practices. This Article analyzes the emerging cybersecurity duty of care, and examines the potential impact of the 2014 National Institute of Standards and Technology (NIST) cybersecurity framework on particularly on negligence law. Given that best practices are not yet well-defined in this space, the NIST framework has the potential to help define the standard for not only critical infrastructure firms, but the private sector writ large. There is some evidence this is already happening, such as in reference to an FCC/telecom release in November 2013: “The telecommunications industry and the Federal Communications Commission plan to use an emerging framework of cybersecurity standards to assess and prioritize best practices for the sector as it works to address evolving cyber threats...” The NIST framework has the potential to shift the cybersecurity landscape not only in the United States, but also potentially in other jurisdictions favoring a largely voluntary approach to enhancing cybersecurity such as the United Kingdom, the European Union, and India. For businesses active across jurisdictions, and depending on the uptake of the NIST framework by stakeholders, a global duty of cybersecurity care could emerge that would promote consistency and contribute to cyber peace even absent regulatory action.
Keywords: cybersecurity, NIST, critical infrastructure
Suggested Citation: Suggested Citation