Companies that implement & meeting reasonable security controls (administrative, technical and physical safeguards) to protect personal and confidentiality data may have affirmative defense upon cybersecurity breach that occur.
Accordingly to Locke Lord, LLP,
For all businesses:
-NIST Cybersecurity Framework
-NIST Special Publication 800-171 ("Protecting Controlled Unclassified /Information in Nonfederal Systems and Organizations")
-NIST Special Publications 800-539 ("Security and Privacy Controls for Information Systems and Organizations") and 800-53A ("Assessing Security and Privacy Controls in Federal Information Systems and Organization")
-The Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework
-Center for Internet Security, Critical Security Controls for Effective Cyber Defense
-International Organization for Standardization / International Electrotechnical Commission 27000 Family of Information Security Standards - information security management systems ISO-27000 family13
For regulated businesses:
-HIPAA security requirements-GLB security requirements
-FISMA
-Health Information Technology for Economic and Clinical Health Act
-PCI standard
Trend setting law starting in Ohio, November 2018
