Hacker News new | past | comments | ask | show | jobs | submit login

If your company is not following the NIST recommendation, they are incompetent, and will be held liable in case of a breach

This is a stretch. Liable? Please show the case law, or the legislation.

(My statement has no relevance to the validity of NIST's recommendations)




Not directly. However NIST is admissible in court and so if someone sues there is now evidence that they should have known better.


Anything is admissible in court, the judge merely has to allow it.

There are 1000s of such organizations, and many conflict with each other.

My point is, it's inaccurate to say you are liable for not following NIST. I could easily say you could be liable, for not following me.

Does that make it so? No.


NIST SP 800-63B is informative, not normative. It codifies existing industry-standard best-practice, but is not in itself law. However, not following best-practices may be argued as negligence if it leads to a breach or decrease in shareholder value.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: