New NIST Cybersecurity Standard Could Pose Liability Risks

October 11, 2013 – In The News
Computer World

Scott Vernick was quoted in the Computer World article "New NIST Cybersecurity Standard Could Pose Liability Risks." Full text can be found in the October 11, 2013, issue, but a synopsis is noted below.

Voluntary cybersecurity standards currently being developed by the National Institute of Standards and Technology (NIST), may pose liability risks to critical infrastructure companies that fail to meet them. A noted authority on privacy law, Vernick said there is a good chance the NIST standards will eventually become sector-specific regulations overseen by federal agencies in charge of various critical infrastructure areas. At that point, covered entities will have no choice but to adopt the standards, Vernick said.

“Once NIST finishes its work, the plaintiffs’ bar will point to it as the standard” even if the standards are initially voluntary, Vernick said. Critical infrastructure owners and operators should, at a minimum, determine how their security measures stack up against the standard, he said.

Companies should consider joining information sharing initiatives and other cybersecurity forums to show they are making an effort to understand new threats, he added. “This really is an area where an ounce of prevention is worth a pound of cure,” he said.