SBS CyberSecurity - Iowa Cybersecurity Bill Introduces Affirmative Defense

Iowa SF 2252 A new Iowa law could quickly dictate the level of responsibility your organization has following a data breach. Introduced in January 2020 as Senate File (SF) 2073 and recommended for approval as SF 2252, this new bill states “It is an affirmative defense to any claim or action alleging that a person’s failure to implement reasonable security measures resulted in a breach of security, that the person established, maintained, and complied with a written cyber security program.”   What is Affirmative Defense? Affirmative defense is a set of facts that defeat or mitigate the legal consequences of the defendant’s otherwise unlawful act. An organization can admit to guilt, but they can use an explanation or justification to mitigate the legal penalty stemming from a cyber incident. In this case, the defense will be a formal (written) cybersecurity program that “conforms to current and accepted industry standards regarding cyber security and personal information security protection,” including the NIST Cybersecurity Framework (CSF). Iowa SF 2252 would not preclude an organization from being named a party to a lawsuit; however, the law does provide a potential defense in the event an organization has developed a strong cybersecurity program, but still suffers a data breach. Senate File 2252 would amend Iowa’s existing data breach notice regulation.   Not the First Cyber Safe Harbor Law Iowa would not be the first state with this type of legislation. In August 2018, the Ohio legislature passed Senate Bill 220, which took effect on November 2, 2018. Ohio SB 220 is very similar to Iowa SF 2252, as it provides safe harbor (affirmative defense) to Ohio covered entities that implement and comply with a cybersecurity program based upon industry best-practice cybersecurity frameworks. Ohio SB 220 has two caveats, however. The first is that SB 220 only applies to tort claims, and the second is that such tort claims are based on Ohio law or brought to an Ohio court.   More to Come? Such affirmative defense laws are likely to gain traction in other states as well. Not only does this type of law encourage organizations to create, maintain, and comply with a strong cybersecurity program that will lead to better cybersecurity protections for everyone, these laws will also provide a defense for organizations that are compromised despite having solid cybersecurity controls in place. There is no such thing as 100% secure in today’s cybersecurity landscape, even with a strong cybersecurity program. SBS CyberSecurity has been helping organizations from all industries build, maintain, comply-with, and test cybersecurity programs for the past 15 years. If your organization is looking to understand your cyber risk, create a cybersecurity program, and make more intelligent cybersecurity business decisions, SBS can help.     Written by:  Edin Y Cordona and Jon Waldman SBS CyberSecurity   SBS Resources:  {Service} Digital Forensics and Incident Response: From malware to attacker network penetration and insider threat - organizations must be prepared to detect incidents and respond appropriately. Staying current with threat protection, detection, and recovery tactics requires a specific set of training and expertise that not all organizations are able to handle on their own. The SBS Digital Forensics and Incident Response (DFIR) team can help you better prepare for an incident or assist with an active incident. Learn more Related Certifications: Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.    

from SBS CyberSecurity https://sbscyber.com/resources/iowa-cybersecurity-bill-introduces-affirmative-defense