New NIST cybersecurity standards could pose liability risks

Critical infrastructure companies could face new liability risks if they fail to meet voluntary cyber security standards being developed by the National Institute of Standards and Technology.

The slated release of the standard draft was delayed due to the federal government shutdown. A preliminary version of the draft standard has been circulating, however. The formal draft version, when released, will be available for public review until February 2014, according to the original schedule. Once the review is complete, a final version of the standards that incorporates changes recommended by stakeholders will be released. The NIST cyber security framework is designed to serve as a security best practices guide for organizations in critical infrastructure sectors, like power, telecommunications, financial services and energy. It is not designed to mandate specific security controls. Rather, it offers broad standards for identifying and protecting critical data, services and assets against cyber threats. While participation in the standards program is voluntary, in practice, critical infrastructure owners and operators will likely be left with little choice but to follow the standards, or at least show they have comparable security measures in place, said Jason Wool, an attorney with Venable LLP, a Washington DC-based law firm. Companies that ignore the standards and are breached will open themselves up to negligence, shareholder and breach of contract lawsuits along with other liability claims. The standards will likely be viewed as the minimum level of care and integrity within critical infrastructure sectors, Wool noted.