State attorneys general (AGs) plan to propose a cybersecurity safe harbor and model state law that would minimize liability for companies from enforcement if they suffer a breach after putting approved cybersecurity standards into place.

The current patchwork of state and federal privacy regulation and laws, including breach laws, creates compliance challenges for many businesses. While there has been discussion of potential harmonization of state breach laws, which could involve streamlining compliance requirements across the states, regulators appear to be tackling a uniform enforcement buffer first.

The current patchwork of state and federal privacy regulation and laws, including breach laws, creates compliance challenges for many businesses. While there has been discussion of potential harmonization of state breach laws, which could involve streamlining compliance requirements across the states, regulators appear to be tackling a uniform enforcement buffer first.

During a meeting of the Conference of Western Attorneys General (CWAG) this month, the Utah attorney general announced that he and a working group of his fellow AGs are in the process of creating a cybersecurity safe harbor that would give businesses predictability and certain protections from investigation or enforcement following a data breach. Several safe harbor standards have been proposed, including standards that follow the National Institute of Standards and Technology (NIST) guidelines. 

Simultaneously, the group is drafting model legislation to codify the safe harbor protections. A white paper and other proposals will be ready for public review and comment by the end of the year, if not sooner. AGs will be looking for business input on how a safe harbor can provide predictability in exchange for responsible preparation; interested parties will have the opportunity to weigh in.