Executive Summary  

    The Mission of the Corporate Information Security Working Group (CISWG) on Incentives/Liability and Safe Harbors was to recommend specific incentives that, if enacted, would result in broad, effective, and sustainable improvements in cyber security.  

    In Phase I, the Sub-Group identified a set of principles based on the belief that a program of positive incentives would be more likely to generate long-term effective results resulting in an increase in confidence in technology and a better environment for the American economy and consumers. Phase I laid out a set of nearly a dozen positive incentive programs, including the consideration of tax incentives, awards programs, expedited permitting, and liability and safe harbor incentives. In Phase II, the Sub-Group focused on the liability and safe harbor issues, but this is not to diminish the need to thoroughly examine the other incentive programs outlined in the Phase I report.  

    Following extensive deliberations, the Sub-Group wrote and debated two alternative proposals describing how a liability incentive program might be established. Proposal A argued that existing mechanisms, developed in the private sector, should be used to determine standards and practices that are to be rewarded. Proposal B specified a list of 11 criteria, largely drawn from the CISWG metrics sub-group that would become a federal baseline for achieving safe harbor benefits with a federal agency designated to expand and modify these criteria as they see appropriate.  

    A vote was held to decide which of these proposals would become the Sub-Group recommendation. Seven of the 11 active entities in the Sub-Group voted to approve only Proposal A (private sector) and three voted to approve BOTH A and B. One entity voted to approve neither proposal. Subsequently, a vote was taken on the back sections of the paper, which propose to align specific benefits with Proposal A. That vote was eight in favor, one opposed and two not voting. Proposal A and the alignment paper thus become the Sub-Group’s Final Report.  

    The Sub-Group finds that within the marketplace there exists a robust assortment of published regulations, standards, best practices, and similar guidance. Research shows that compliance with these existing practices can indeed result in demonstrable improvements in cyber security. Indeed, the largest study in the field to date found that the approximately 20% of companies deemed the “best practices group” suffered less monetary damage and downtime than less careful corporations, and one-third of this group suffered no such inconvenience despite being targeted by attackers regularly.  

    Further, the Group found that while there are apparently effective best information security practices operative in the world, there is still a consensus that no one size fits all. What qualifies for a specific entity, as a best practice will be affected by size of the entity, the culture or cultures it operates within, its sector specific regulatory status, and a range of other variables.  

    Government’s role in the public-private partnership is to fashion an incentive program for the good actors that will create a business advantage for them over less careful players. In so doing, we hope to harness the power of the market to motivate cyber security.

      We do not endorse the creation of a federally specified standard of information security to be applied to the vast private sector. We are concerned that such an approach would be too static and could put U.S. business at a competitive disadvantage. Such an approach also might not be appropriate across various sectors, might be weaker than needed due to the political nature of the regulatory process, and hence, could be counter productive. It would also be very hard to enact legislatively.

    Instead, we propose companies have available federal incentives if they implement information security pursuant to and meet the:

• Information security procedures adopted by a Federal sector-specific regulatory agency.
• Standards established and maintained by the following recognized standards organizations:
  

International Organization for Standardization

American National Standards Institute

Electronic Industries Alliance

National Institute of Standards and Technology 

• Standards established and maintained by an accredited security certification organization or a self-regulatory organization such as NASD, BITS, or the emerging CISP structure.

  Finally, the Sub-Group analyzed the various types of incentives available and proposes a series of classes for organizing these incentives with the greater ability of an entity to demonstrate performance of agreed upon security practices yielding greater benefit. These incentives and their classification will require further analysis as part of the enactment process

These benefits include:

• Limits on FTC Jurisdiction – a company that demonstrates it implemented information security controls pursuant to the identified standards should not be considered as conducting an unfair or deceptive practice. Similar state-based claims would also be pre-empted.

• Limits on State Actions – Once a company has demonstrated it has met the security requirements, then plaintiffs should face additional burdens, such as increases in the burdens of proof, caps on punitive damages, prohibitions on third-party liability, pre-litigation notice requirements, or a cap on damages.

    As agreed in CISWG Phase I, the mission of the liability subgroup has been to recommend consideration of specific incentives which will positively motivate behavior resulting in broad, tangible improvements in cyber security. These incentives and their effects need to be effective and sustainable.   

    In CISWG Phase II, the group has focused on a safe harbor incentive, and divided the mission into two components: (1) identifying the types of incentives that could be offered in order to spur investments in information security, thus protecting customers and improving the security of the nation's infrastructure and (2) identifying those behaviors in developing information security that should qualify companies for these incentives. Specific emphasis has been given to evaluating practices to recommend that are developed within the marketplace. 

      I.          Principles  

In addition to principles relating to applying traditional regulatory structure to information security, the CISWG Phase I Liability subgroup provided the following principles: 

1. A cyber security program based on positive incentives is more likely to generate long term and more effective results. This will ultimately increase consumer and business confidence in advanced technology and result in a better environment for the American economy in general and American businesses and consumers in particular.    

2. A program of positive incentives (including but not limited to insurance or tax incentives and/or liability and safe harbor protections) is likely to be an effective means of implementing a comprehensive cyber security risk management program because it can: 
   ·        Encourage private industry, which is better able to innovate and maintain the array of tools necessary to adequately police Internet security.
   ·        Be readily applicable internationally due to international nature of major corporations.
   ·        Can be more responsive to change in technology.
   ·        Encourage executive buy-in due to inherent advantages to a “return on investment” approach.
   ·        Use market-based incentive programs that are more readily designed to apply to the broad cross-section of entities who use and must protect the Internet.

      II.        Proposal  

    In order for any federal incentives to be effective, those who benefit must tie them to discernible, consistent, and well-defined practices. First, an entity must have confidence that the practices employed by the entity qualify the entity for the benefits of the incentives. Second, in order to provide the most meaningful incentives to both small and large entities, the legislation must offer incentives on a consistent basis; variations in an increasing number of state information security statutes, which are both conflicting and overlapping, must not disrupt the availability of the incentives.  

    Taking these considerations into account, and following extensive deliberations, the subgroup constructed two alternative proposals, one (Proposal A) arguing that existing mechanisms primarily based in the private sector be used to determine the standards and practices that are to be rewarded, and another (Proposal B) which specified a list of 11 criteria which would become a federal baseline for achieving safe harbor benefits with a federal agency designated to expand and modify these criteria as they see appropriate.  

    The Incentives/Liability and Safe Harbor group, consisting of 11 entities, voted to support Proposal A (use of private sector mechanisms). The vote was 7 entities in favor of Proposal A, 3 entities voting in favor of presenting BOTH proposal A AND B co-equally also, and one entity voting in opposition to both. 

      What follows is a description of what was formerly known as Proposal A and now is designated the Incentives/Liability and Safe Harbor Sub-Groups report.    

Findings. Within the marketplace, there is a robust assortment of published regulations, standards, best practices and similar guidances that have already been produced that address the manner in which information security is to be developed and implemented in commerce. These publications target specific nations as well as international audiences; others address the requirements of specific trades or industries. Recent research shows that compliance with these existing practices can indeed result in demonstrable improvements in cyber security.  

    The largest security research project ever done, the 2004 “Global Information Security Survey” (September 2004) found that about one-fifth of their respondents, dubbed the “best practices” group, report that, although they suffered more cyber incidents than the average respondent (presumably because they are more attractive targets), they had less downtime and monetary damage. Indeed, one-third of the group reported that they had zero downtime and zero financial impact, despite being targeted more often by malicious actors.   

    These findings provide compelling evidence that there are a substantial, though not a majority, number of “good actors” in the corporate information security field. These organizations have, through various mechanisms, identified and implemented effective information security measures. The work of these good actors should be recognized and encouraged.

    Encouragement of the effective work in information security that has already been demonstrated should take two different forms. First, other entities beyond the early adopters of these effective best practices should be encouraged to emulate them and adopt these, or appropriately similar, practices. Second, the already-identified effective practices need to be continually adapted to keep pace with the changing technological and security needs that are inherent parts of the cyber-landscape.   

    So, while apparently there are effective best information security practices already operative in the corporate world, there is a general consensus, however, that no one standard or guidance “fits” all of the information security requirements of all industries. What qualifies for a specific company or entity as an appropriate best practice will be affected by the size of the organization, the culture – or cultures – within which it conducts business, its sector-specific regulatory status, and a range of other variables. What is consistent is that a demonstrable investment is being made in the private sector to continue to develop and improve cyber security in order to enhance the trustworthiness of electronic commercial practices, for businesses and consumers.   

    Government can provide a vast assist to this effort by fashioning an incentive program for the good actors that will create a business advantage for them over less careful players. In so doing, we hope to harness the power of the market to motivate cyber security on a worldwide basis.  

Indeed, the CISWG Liability Subgroup has found that:  

1. There is not at present, and may not be, a consensus set of metrics, benchmarks, or certified standards that would qualify all complying organizations for legal protection.  
2. There is an array of measurements, across a range of sectors and business types that may be useful in developing a system of safe harbors that might motivate organizations to improve their information systems.
3. There is a range of protections (immunity, damage caps, allowable defenses, burden of proof standards, etc.) available, which might motivate improved cyber practices. 
4. There are a variety of organizational mechanisms (legislatures, regulatory bodies, SROs, trade associations, national and international standard setting bodies, etc.) capable of defining appropriate levels of behavior, which might qualify specified organizations for a level of liability protection. 
5. The best mechanisms to ensure the needed ongoing security upgrades over time are those which are generated through the private sector, but which the public sector can recognize – and for which benefits can be provided – that follow clear, thorough, privately generated standards and practices.   

    Our group does not endorse the creation of a federally specified metric of information security to be applied to the vast private sector. We are concerned that such an approach would be too static, could put US industry at a competitive disadvantage, might not appreciate the various sector specific differences which should be considered, might be weaker than needed due to constant political pressure and hence could even be counter productive to constantly enhanced security needs of ever evolving technology. It would also be extremely difficult to enact legislatively.

Market-based Standards. We suggest encouraging the mechanisms existing within the market to continue to evolve appropriate information security practices, motivated by the development of additional Federal incentives and benefits. These mechanisms exist in several different venues:  

• ISO/IEC 17799 is a widely recognized foundation for information security, setting forth guiding principles of significant breadth and flexibility.
  
• Industry groups have developed specific procedures appropriate to their industry. An outstanding example is the manner in which ISO/IEC 17799 has been incorporated into the Responsible Care^® Program of the American Chemistry Council. 
• Specific business arrangements or practices can require targeted information security controls, such as those required by COBIT, a prevailing standard being implemented by public companies in response to Sarbanes-Oxley. 
• Companies can adopt specific internal standards to govern their internal operations, as well as specific standards that describe information security controls within their entire network of trading partners (which can often be a significant industry within our nation’s infrastructure). An example is the VISA Cardholder Information Security Program (CISP), which requires compliance by all entities that store, process or transmit Visa cardholder data.  
  

    However, in order to provide the stability and predictability that CISWG agrees must be present, the Federal incentives must be associated with those standards that are widely recognized and have broad endorsement; this helps assure that there is no effort to merely craft a “lowest common denominator.” Specifically, we propose that companies should have available the Federal incentives if the company implements information security pursuant to, and meets:  

• Information security procedures adopted pursuant to, and in compliance with, Federal regulations applicable to the industry in which a commercial entity conducts business.  (This has the effect of avoiding any duplication of rules to which a commercial entity is already subject, for example with respect to personal information). Information security procedures that are established and maintained pursuant to applicable standards published by recognized standards organizations. Specific sponsoring organizations to be recognized by the enabling legislation would be:

·        International Organization for Standardization.

·        American National Standards Institute.

·        Electronics Industries Alliance.

·        National Institute of Standards and Technology.

• As appropriate, the enabling legislation could also identify existing, recognized standards of these organizations which would be the basis for evaluating the availability of the proposed Federal incentives.  

• Information security standards that are established and maintained pursuant to requirements of “self-regulatory organizations” (such as NASD; a definition of “self-regulatory organization” appears in the Homeland Security Act). Self-regulatory organizations could be designated for that purpose by appropriate Federal agencies having direct interaction with specific industries, such as financial services. 

“Self-regulatory organization” (or SRO) means an organization or entity that is not a Federal regulatory agency or a State, but that is under the supervision of a Federal regulatory agency and is authorized under Federal law to adopt and administer rules applicable to its members that are enforced by such organization or entity, by a Federal regulatory agency, or by another self-regulatory organization.[1]

CISWG strongly recommends that two existing organizations be grand-fathered as satisfying the criteria for what might qualify as a “self-regulatory organization”:

o       BITS, operated by the Financial Services Roundtable. 
o       The VISA CISP Program referenced earlier.   

An important aspect of information security is the ability of an entity to have its compliance certified, whether through a formal certification process, audit or self-certification.  Companies that produce certification of their compliance, in addition to merely implementing appropriate standards, should be further motivated by the availability of additional Federal incentives, since such conduct helps improve the trustworthiness of those companies (and their trading partners, suppliers and customers) in an interdependent information economy. Certification can be through self-regulatory organizations or accredited security certification organizations that provide increased higher levels of “assurance” that the practices are being implemented and maintained.

[1] This language is derived from the Homeland Security Act. 

Diagram available shortly

Based on the preceding:  

-                There is a prevailing view within the CISWG that ISO/IEC 17799 represents a baseline Code of Practice for building any information policies or programs. While generic, 17799 provides a framework for conducting risk-based analyses to product appropriate information security policies and programs. That baseline recurs across four different levels of further sophistication and maturity:  

·        Self-administered programs.
·        Regulatory specifications of information security.
·        Industry-specific standards that are derived from 17799.
·        Industry-specific standards that are further administered through SRO mechanisms.  

-                 There is a consensus that ISO/IEC 17799 represents a reasonable basis in the process of establishing the security requirements for any company. But, as discussed further, to be entitled to Class 1 benefits (as discussed in Part III below) a company must be responsible, to obtain the benefits, to demonstrate its compliance with the relevant standards.  

-                  There are various requirements for information security that are already established by regulatory agencies (e.g., HHS [for HIPAA]; FDIC, SEC, OCC [for GLB]; FDA), industry-specific standards (such as those of the American Chemistry Council), and self-regulatory organizations.² In nearly every instance, the prevailing requirements include a method by which compliance is evaluated and certified. The CISWG Liability Subgroup supports the principle that those entities that go the additional distance of having their compliance with identified standards evaluated and certified, on a regular basis, should be entitled to additional Federal incentives.     

• Where validation or certification is by an agency, the entity, or a third-party, this should entitle the entity to Class 2 benefits (as discussed in Part III below).
•  Where validation or certification occurs by the actions or procedures of a self-regulatory organization (where enforcement sanctions put the entity at further risk of some tangible loss, if there is non-compliance) or an accredited security certification organization, this should entitle the entity to Class 3 benefits (as discussed in Part III below).                        
  

[2]   While not entirely aligned, each of the recognized standards similarly adopt 17799-like risk-based analytical frameworks; the similarities certainly outweigh any distinctive differences.
 

  III. Proposed Federal Incentives  

    The work of the CISWG group has analyzed various types of incentives that can be made available as a matter of Federal public policy in order to motivate and encourage the private sector toward improved information security, while not imposing new mandatory regulations.  The process has been challenging; nevertheless, the following incentives are recommended for inclusion in enabling Federal legislation. These incentives are proposed in “classes” – the greater the ability of an individual business to demonstrate their investment in, and performance of, information security pursuant to market-driven mechanisms, the greater the incentives that should be available.  

    The incentives are responsive to both concerns arising under Federal law, as well as various types of state actions. Here is a summary of those concerns, followed by a proposed allocation of the incentives that respond to the impact of those concerns, together with an explanation of each.    

• Limits on FTC Jurisdiction. A company that can demonstrate it has implemented information security controls that comply with a specified standard should be entitled to state to its customers, whether as a part of a privacy policy or other similar expressions, that the company employs “reasonable security controls”.  In such event, the occurrence of a security incident should not be considered an “unfair or deceptive trade practice” in the absence of bad faith by the company (e.g., intentional misrepresentation of a specific control). 

An open question is whether a company, in order to avoid FTC exposure, must take further action to have remedied the incident in order that controls reasonably designed to avoid further similar incidents are put into place (see, also, the discussion of “Continuous Improvement” below).

No specific decision was reached on the precise words a company may employ its public statements.  However, the view is strongly held that a company is not being deceptive if, in making such statements, it can show compliance with an acceptable information security standard has been properly achieved, even if a single security incident subsequently occurs.  

• Limits on State Actions. Perhaps the greatest concerns of CISWG participants revolve around the potential exposure faced under varied state laws that are being enacted, sometimes very rapidly and with little industry input. There are three classes of activity at the state level of concern:

Statutory enactments that are beginning to establish varying requirements for information security (such as California Assembly Bill 1950, enacted in September 2004). As more state legislatures consider these measures, the outlook appears to be increasing inconsistency in information security laws.

Companies also face potential exposure from state attorneys general (proceeding under state unfair and deceptive trade statutes similar to FTC actions).

Lawsuits under tort and other common law claims.

Within a competitive global environment, the obligation for a company to comply with varying state laws (largely devoted to achieving the same policy objectives) impedes rather than improves competitiveness. Federal security legislation should provide protection from inconsistent state laws in order to ensure that industry officials possess both the guidance and the incentive necessary to adopt information security measures. In order to provide such protection from state law, the legislation should provide the core practices listed above, or similar practices, in order to occupy the field and ensure that the legislation would survive a court challenge. It is also important to avoid any “partial preemption,” such as that resulting from Gramm-Leach-Bliley, which only exacerbates an inconsistent regulatory framework. 

    Consistent with the diagram shown above, the protections are listed as Level 1, 2, and 3 (aligned with Safe Harbor Benefits 1, 2, and 3 in the diagram) as follows. This arrangement of the possible incentives is presented as only one possible arrangement; the sub-group recognizes that the incentives, and their alignment to each class of validated compliance, will be subject to further analysis as part of the legislative process.  

Class 1 Incentives  

• FTC Actions - As discussed above, companies that can show their implementation efforts are not, by definition, engaging in an “unfair or deceptive practice” if, despite those efforts, security incidents occur.

• State Common Law and legislation similar to California Assembly Bill 1950 - Once a company has demonstrated that it has met the security requirements outlined, then the plaintiff should face additional burdens in order to prevail:  
• o        The burden of proof for the plaintiff to prevail might be raised from a showing of mere negligence to a showing of recklessness/actual knowledge in the defendant’s management of its IT security and further that such burden is met by “clear and convincing evidence” as opposed to the easier standard of proof, “preponderance of the evidence.” This would properly reward those companies who have shown that they generally met the security requirements described above but still allow relief in those cases where the defendant has acted with reckless disregard or actual knowledge of the information security vulnerability that is alleged in a specific instance. Further, in the case of a formal certification by the defendant shown at the time of the initial answer to the plaintiff’s complaint, the burden could then shift to the plaintiff to plead with specificity (as opposed to a more general “upon information and belief”) that the harm was caused by a specific security failure.    

• Prohibition of punitive damages. Given the higher level of certification shown by companies in this case, a strong case can be made that even if it can be shown that in the particular case the company acted with recklessness, this level of conduct is inconsistent with the level of intentional dishonesty or fraud which forms the basis of punitive damages.    
• Prohibition of third party liability. Given the interdependency of the Internet, a major fear by organizations is that plaintiffs, other than the direct victims of the alleged security flaw, will “come out of the woodwork” and attempt to sue civilly. Companies who have obtained the higher level of security in Class 2 would know that such non-direct victim actions would be prohibited. 
• Pre-litigation notice requirements. If no actual harm has occurred, but there is an allegation of a security flaw, companies who have obtained the higher level of security in Class 2 would benefit from a requirement that the plaintiff as a pre-condition to civil suit would have to give notice to the defendant organization of the alleged security flaw with opportunity to cure before litigation could begin.

Class 3 Incentives: State Common Law and legislation similar to California Assembly Bill 1950-

• Cap on Damages. Liability for direct damages should be limited to the value of any insurance that has been obtained by the company, if the amount of insurance maintained regarding information security losses is appropriate to the type and level of risk that a company in a similar position, with similar certification, should maintain, as determined by methods to be specified. 
• Sanctions on Abusive Litigation. Companies which have reached this highest level of certification would, in the event they prevail in court, obtain the benefit of sanctions and costs imposed on the plaintiff (similar to Rule 11). This is an appropriate benefit to be given to this class of organizations so that they do not suffer the financial costs of a suit brought unsuccessfully against them.

    In addition to those benefits specifically recommended above, the sub-group also notes a number of other benefits used in existing safe harbor legislations, including: Limitation of co-defendant liability to proportional liability only, imposing upon a plaintiff the duty to mitigate harm, limitation of non-economic losses, prohibition of pre-judgement interest, off-setting damages by recoveries from collateral sources, limitations on discovery, and complete immunity of liability.  
 

Summary Chart