As courts and legislatures around the country struggle with issues related to data breaches, cyber, technology and privacy, they are finding a lack of standards to guide them through their struggles. Of course, a court may struggle to determine whether a duty was breached in a data breach case if there is no standard to determine what the duty is, what a breach is, or what constitutes data. Likewise, a legislature will not be able to create a statutory framework to protect its citizens if it does not speak the “language” of data protection. Further, even if a court can understand the fundamentals related to a particular cyber issue, a court may find a patchwork of state and federal law may govern the analysis of that issue.
A recent example was seen when the United States District for the District of Columbia was called upon to address questions related to a search warrant issued for electronically information stored on the “cloud.” Specifically, in In Re Search Of Information Associated With [Redacted]@gmail.com That Is Stored At Premises Controlled By Google, Inc., 2017 WL 3445634 (D.C. Cir. July 31, 2017 D) the D.C. District Court analyzed whether the government was entitled to data held by Google on its cloud. (“The basic legal question confronting us is not a total stranger to this Court. [citation omitted] With the growing interdependence of world trade and the increased mobility of persons and companies, the need arises not infrequently, whether related to civil or criminal proceedings, for the production of evidence located in foreign jurisdictions.”) In Google, the D.C. District Court summed up this issue as follows:
As a result, the judiciary and legislature have been challenged to keep up with precipitous advancements in technology and global interconnectedness. Traditional notions of “territoriality” and “jurisdiction” have been muddied, especially when it comes to determining the scope of statutes governing access and disclosure of electronic records and communications. The picture is murkier still with the advent of so-called “cloud” computing, which is “the capacity of Internet-connected devices to display data stored on remote servers rather than on the device itself.”
And, while grappling with these new technological concepts, courts are beginning to look to the few common standards available, such as those created by National Institute of Standards and Technology (“NIST”) to form the structure for their decisions. For example, the D.C. District Court relied on a definition of “cloud computing” found in the NIST standards.
In its simplest terms, as the NIST standards gain acceptance, we may soon see a court find liability for a cyber incident when a litigant fails to meet the NIST standards to safeguard data. Therefore, it is even more important to keep current on the NIST standards, which are constantly in transition, as these standards continue to be relied upon to determine legal duty and responsibility.
On August 15, 2017, the Department of Commerce released Draft NIST Publication 800-53, entitled, Security and Privacy Controls for Information Systems and Organizations, which is intended to provide a “catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile attacks, natural disasters, structural failures, human errors, and privacy risks.” The stated objectives of the NIST publication includes: “…to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable.” And, in meeting these objectives, the NIST publication provides the following “key questions that should be answered by organizations when addressing their security and privacy concerns:
- What security and privacy controls are needed to satisfy the organization’s security and privacy requirements and to adequately manage risk?
- Have the security and privacy controls been implemented or is there an implementation plan in place?
- What is the desired or required level of assurance (i.e., confidence) that the selected security and privacy controls, as implemented, are effective in their application?”
At this point, NIST is seeking public comment from August 15, 2017 through September 12, 2017. NIST anticipates having a final draft of this publication complete by October 2017 and a final version published by December 29, 2017.
While the NIST Standards are intended to create “minimum requirements for federal information systems,” these standards have proven to be the most-comprehensive set of standards for industries that have not adopted their own standards. Consequently, we can expect to see courts and legislatures continue to borrow terms and concepts from NIST when there are no other standards to rely upon. Further, insurers may soon require their insureds show they meet NIST standards during the application process as well as through the effective dates of coverage.