See Credit Details Below
As more states impose cybersecurity obligations on businesses, companies are facing the increasingly difficult task of trying to demonstrate that their security programs and policies are “reasonable". Compounding that challenge is the fact that regulators often provide little to no guidance on what exactly would constitute a “reasonable” or otherwise appropriate cybersecurity program.
In lieu of specific guidance, one approach regulated entities could take is having their cybersecurity programs and policies evaluated under the SAFETY Act, a liability management program administered by the U.S. Department of Homeland Security. Under the SAFETY Act, DHS will review cybersecurity policies and procedures to determine if they are “effective” and “useful” in deterring, defeating, responding to, or otherwise mitigating the threats posed by cyberattacks.
Successfully moving through a SAFETY Act review would thus not only give companies affirmative defenses that can be used to minimize or eliminate civil liability, but also provide them with a very strong factual argument that DHS has found the security programs and policies in question to be “reasonable”, and thus so should other regulators.
In this Briefing, please join Pillsbury Winthrop Shaw Pittman LLP Partner Brian E. Finch and Senior Counsel Cassie Lentchner as they explain:
- What types of cybersecurity programs and policies are eligible for review under the SAFETY Act;
- Examples of cybersecurity and privacy regulations that mandate specific cybersecurity measures be taken; and
- How the SAFETY Act can be used to demonstrate compliance with regulations such as the New York Department of Financial Services cybersecurity regulation, the New York SHIELD Act, and the California Consumer Privacy Act.