“Even though U.S. congressional and multilateral efforts aimed at enhancing cybersecurity have thus far largely failed in their aims, courts and regulators are using existing common law doctrines and statutory enactments to hold companies accountable for cyber attacks. However, such judicial and regulatory actions have often been haphazard, due in part to confusion over what constitute reasonable standards of cybersecurity care. This article analyzes the emerging cybersecurity duty of care and examines the potential impact of the 2014 National Institute of Standards and Technology (NIST) Cybersecurity Framework on shaping reasonable standards of cybersecurity. Given that cybersecurity best practices are not yet well defined, the NIST Framework has the potential to shape standards not only for critical infrastructure firms but also for the private sector writ large. Indeed, the Federal Communications Commission (FCC) in November 2013 wrote that it plans “to use an emerging framework of cybersecurity standards to assess and prioritize best practices … to address evolving cyber threats” in the telecommunications industry. Moreover, the NIST Framework has the potential to shift the cybersecurity landscape internationally, especially in jurisdictions that largely favor a voluntary approach to enhancing cybersecurity, including the United Kingdom, India, and to a lesser extent, the European Union. The uptake of the NIST Framework beyond the United States could help to foster a global standard of cybersecurity care, promoting consistency, benefiting businesses active across jurisdictions, and contributing to cyber peace.”