The US federal government recently announced a new National Cybersecurity Strategy that poses an increased risk of liability for the private sector. The strategy, announced in March, lays out a new approach to attempting to shore up the security of cyber-networks. It also unfortunately may have serious implications for private companies.
While this new initiative has the potential to benefit Americans by increasing overall security and protecting consumer data, it also leaves private companies in the crosshairs of potential liability should they fail to adhere to new standards.
This National Cybersecurity Strategy seeks to enhance collaboration around what the Biden administration is branding “the five pillars.” They are:
In an effort to implement the so-called “five pillars” approach, the strategy will integrate new regulations for private companies, including enhanced requirements regarding the report of cyber-attacks or other security incidents. It also attempts to institute a “common security framework” across both public and private sectors, which could translate into increased expenditures for companies implementing these new strategies.
It is not clear whether the strategy provides any liability protections for private companies that are found to fail to adhere with its standards, as of yet. Because of this, it is possible that companies could be held liable for any damages as a result of a cyber-attack or data breach.
Although the Biden administration has acknowledged potential liability risks within the plan, it is unclear how or if they will address them. This means that businesses should regularly evaluate their cybersecurity practices and take steps to ensure compliance within the new National Cybersecurity Strategy’s standards.
As the private sector works to protect itself from potential liability, the National Cybersecurity Strategy new guidelines for achieving a higher level of security. They center around maintaining strong authentication and encryption measures, regularly monitoring for nefarious activity, and implementing new and enhanced strategies to prevent data leaks. In addition, in an effort to comply, companies should invest in supplemental employee training to ensure that all staff are aware of their responsibilities and the importance of following safety and security standards.
The administration has also recently submitted a $3.1 billion budget request for the Cybersecurity and Infrastructure Security Agency (CISA), an increase of more than 20% from last year, to help institute this strategy.
Although the National Cybersecurity Strategy is being promoted as an important step towards improving the security of our nation’s networks, the potential for liability remains a concern for private businesses. For that reason, companies should remain vigilant and take additional steps to protect themselves from any legal fallout as a result of new mandated internal policies.