Will A Cybersecurity Safe Harbor Raise All Boats?
Lawfare, 2024
21 Pages Posted: 24 Apr 2024
Date Written: March 15, 2024
Abstract
Supply chain cybersecurity incidents are incidents that compromise one party but affect another, and they now dominate the cybersecurity landscape. As organizations rely more often on third-party providers, the digital supply chain is one of the most significant risks to organizational security practices. Sixty percent of security professionals reported in a 2022 survey that third-party data breaches are increasing, and 59 percent of companies surveyed experienced a third-party data breach, the vast majority of which occurred in 2022. Technology professionals cited lack of control, complexity, lack of resources to track third-party activities, third-party turnover, and lack of priority as key reasons for third-party, or “supply chain,” risk.
When supply chain cybersecurity incidents occur and consumers or business customers are harmed, litigation will likely result. However, the U.S. tort system, designed largely to address “wrongs” and allocate liability between parties, is rife with challenges that may punish responsible players and may enable organizations with poor practices to escape liability. In part, this is because the tort system is designed mostly for physical failures, not digital ones.
This paper argues for the use of a liability safe harbor consistent with industry standards and safeguards that will both improve domestic cybersecurity practices and reinforce confidence in business transactions. A private certification model, leveraging best-in-class cybersecurity assessment and audit practices, could be bolstered by public auditors and reinforced by downstream litigation models with relatively little cost to U.S. taxpayers.
In this paper, I first examine the unique nature of contemporary cybersecurity challenges, in particular the challenges of managing cybersecurity across a broad supply chain involving multiple technology players that may influence the security of a downstream product. Next, I briefly discuss liability challenges for the supply chain and describe why an alternative path may be needed. Finally, I examine how leveraging a private certification model as a liability safe harbor can provide consistent direction for courts resolving litigation between entities within the technology supply chain.
Specifically, I propose an executive order and associated statute that will establish a process for reviewing and approving preexisting, dominant, and extensive certification types already being used. It will also designate a safe harbor defense to liability for organizations that legitimately qualify for these certifications. Many of these certifications, funded by private organizations, have been used since the early 2000s as a basis for establishing trust between entities, such as those in a technology supply chain, and are well understood in the technology and service provider ecosystem.
A cybersecurity certification safe harbor can evolve and improve as adversaries and threat models inevitably change. If a safe harbor establishes a reasonable floor for expected cybersecurity practices but also provides reasonable updates over time, organizations using this safe harbor to avoid potential liability will collectively and consistently improve their cybersecurity practices. To accomplish this, as well as truly improve confidence in the digital supply chain, the U.S. must determine which certification models will adequately ensure these practices and certify associated certification-granting organizations.
Using cybersecurity certification as the basis for providing a complete defense to liability may not prevent every harm from occurring. However, if organizations invest in certification to avoid legal liability, this should collectively improve the resilience and quality of technology products in the United States and beyond.
This article was published as part of the Security by Design Paper Series on Lawfare, first published March 2024.
Keywords: cybersecurity, cybersecurity law, data protection, products liability, safety, negligence, tort law, administrative law, data breach
Suggested Citation: Suggested Citation