Will Cybersecurity Best Practices Morph into Cyber Mandates?
The federal government has been encouraging employers to adopt best practices to address both external and internal threats to critical business information and infrastructure. These best practices have included an important human resources element, including policies and programs covering current and former employees.
For example, the Obama Administration opened its initiative to combat trade secret theft with a report that listed human resources policies as one of four areas in which employers need to adopt best practices. Similarly, the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology and the recently published Best Practices for Victim Response and Reporting of Cyber Incidents developed by the U.S. Department of Justice include multiple recommendations regarding human resources policies needed to manage cybersecurity risks. Employees can be among the best protectors of employers’ critical information, or its worst threat.
In a new development, some U.S. state governments are beginning to mandate human resources policies to address these threats. For now, the mandates extend to only to a limited range of policies—such as mandatory employee training and disciplinary measures—and apply only to certain industries, such as government contractors and health insurance entities (a category, by the way, that includes health insurers, health care centers, pharmacy benefits managers, third-party administrators, and utilization review companies).
It’s not hard to imagine these mandates expanding to cover more industries in more jurisdictions and a broader range of policies and procedures. Consider, for example, the impact a mandate might have that requires the clawback of compensation and benefits from executives for certain breaches of their cybersecurity obligations.