Several states have enacted or are taking steps towards legislation offering businesses incentives for cybersecurity. Typically, the incentives take the form of affirmative defenses – a legal term for negating criminal or civil liability following a data breach when the business has implemented measures that conform with recognized cybersecurity frameworks. In other words, giving businesses leeway in case of a breach if best efforts were put in place.
The trend for offering businesses incentives for cybersecurity started in 2018 with the Ohio Data Protection Act (SB 220). Under SB 220, eligible businesses in Ohio that experience a data breach can use an affirmative defense against tort claims in data breach litigation. Businesses meet eligibility by implementing a documented cybersecurity program designed to protect:
The security and confidentiality of individually identifiable personal information
Against anticipated threats to the security or integrity of personal information
Against unauthorized access to personal information that is likely to result in identity theft or fraud
Although SB 220 does not stipulate a minimum security standard, eligible businesses must implement measures appropriate to the nature of their operations. Furthermore, the implemented program must “reasonably conform with” a recognized cybersecurity framework such as the National Institute of Standards and Technology or NIST 800-63, International Organization for Standardization or ISO 27001, or the Center for Internet Security or CIS’s Critical Security Controls for Effective Cyber Defense.
Earlier this year, Utah and Connecticut enacted similar legislation. Utah’s Cybersecurity Affirmative Defense Act (HB 80) includes more exceptions than Ohio’s equivalent law. Connecticut’s Act Incentivizing the Adoption of Security Standards for Businesses (HB 6607) defines what constitutes Personally identifiable information (PII).
However, in addition to offering businesses incentives for cybersecurity, Connecticut has also tightened up its breach notification rules. The Act Concerning Data Privacy Breaches (HB 5310) now requires businesses to inform customers when reasonable grounds show login credentials have been compromised.
Several other states have pending legislation offering cybersecurity incentives. Most follow the Ohio, Utah, and Connecticut models. For example, the text of proposed Acts in Illinois (HB 3030) and New Jersey (AB 3984) closely replicate Connecticut, while a proposed Act in Georgia (HB 260) will require businesses to undergo an annual cybersecurity audit to be eligible for business incentives for cybersecurity.
None of the laws offering businesses incentives for cybersecurity stipulate which technologies to use to reasonably conform with recognized cybersecurity frameworks. However, the Center for Digital Government recently published a whitepaper advocating the use of password managers to bolster security by reducing the likelihood of human error. The whitepaper lists several features a platform should have to support cybersecurity best practices, which include:
An encrypted password vault that stores strong, unique passwords for each site and application
A zero-knowledge approach so the only person with knowledge of the password is the person who created it
Weak and duplicated password detection and mechanisms (typically policy engines) to prevent their use
Fine-grained access controls with logging and monitoring capabilities and the potential to integrate with SIEMs
Mechanisms to allow secure credential and sensitive data sharing to support collaboration in hybrid and distributed work environments
Multi-device and multi-platform support with the option to enforce two-factor authentication on critical accounts
Capabilities to support compliance with cybersecurity frameworks such as NIST 800-63, ISO 27001, and SOC 2
Businesses reduce the chances of a data breach with a password manager by:
Preventing the use of weak and duplicated passwords
Controlling password sharing, including who can share and what can be shared
Enforcing two-factor-authentication to reduce the likelihood of a successful phishing attack
Businesses can also comply with the requirements of states offering businesses incentives for cybersecurity. Furthermore, a password manager can help build an online security culture that further protects data.
A business password manager such as Bitwarden offers security benefits for the workplace and its employees. System administrators can securely allocate, share, and change corporate passwords; while employees can create strong passwords and store shared credentials.
Take Bitwarden for a spin by starting a free 7-day enterprise trial, which includes enterprise password policies, SSO authentication, account recovery capabilities, and more.