"States Try Incentive-Based Cybersecurity"
Three states have passed cybersecurity laws that place the burden of proof on the accused, which means that an organization that suffers a breach can avoid disciplinary action if it can demonstrate that it adhered to recognized cybersecurity frameworks and implemented the best controls available at the time. During a session titled "The State(s) of Cyber Incentives – Creative Laws Driving Better Security" at the 2022 RSA Conference, panelists said that providing a financial incentive prompts better security. The panelists also pointed out the need and difficulties of getting cyber insurance plans. It was assumed that insurers would set cybersecurity standards, similar to how insurers inform building codes, but it is easier to predict the impact of natural disasters than the effects of ransomware or Denial-of-Service (DoS) attacks. This article continues to discuss key points made by panelists at RSA pertaining to incentive-based cybersecurity, the Cybersecurity Standards Act, the Ohio Data Protection Act (ODPA), Utah's Cybersecurity Affirmative Defense Act, and cyber insurance policies.