Do you know where your data is? Is it "reasonably well" protected?
With data breaches making daily headlines, and hackers developing innovative methods to penetrate cyber defenses, businesses must contemplate what "reasonable" security posture to implement for when, not if, a threat occurs.
Virtually all references to "reasonable security" are high level and vague – the source can't possibly know the many environments that exist. Instead, only generalizations and risk-based truisms act as guides.
Additionally, the cyber risk lexicon differs depending on industry and audience. Authoritative entities do not want to box themselves in with a specific definition of what constitutes "reasonable" security, as once that happens resources would be required to support that position.
Alas, the status quo of vagueness continues (aka, the proverbial and frustrating "it depends" response).
Determining a legal standard of reasonable cybersecurity
As data breach and cybersecurity incidents continue to rise, lawmakers and regulators have responded with legislation and regulations requiring companies to maintain a threshold of cybersecurity to protect sensitive information. Regardless of origin, these new policies all impose a minimum standard for "reasonable" cybersecurity measures.
However, without a defined, coherent standard of care to reference, companies are left wandering in the wilderness when it comes to compliance with these often ambiguous laws and regulations.
In terms of establishing a standard of care to avoid negligence, like in the wake of a data breach, the word "reasonable" is somewhat a term of art that has evolved as technology advances. Courts commonly use a "risk/utility" test to analyze whether a defendant's conduct was reasonable and conformed to others similarly situated in the same industry and if the potential harm outweighs the burden of implementing the proper measures to prevent such harm.
At its core, the risk/utility formula seeks to determine if the burden of putting adequate precautions in place is less than the potential risk and gravity of injury.
Many companies take a cost adverse approach to cybersecurity, hoping that by being on par with similar situated companies' cybersecurity systems, that their measures will be seen as good enough. Yet with data breach litigation increasing, this practice is nothing short of risky as businesses are allowing a judge or jury determine the reasonableness of its cybersecurity posture after an incident has occurred.
A "reasonable" standard can't be established through marketing campaigns touting the cybersecurity measures that are in place. After a data breach in September 2017, shareholders brought a derivative suit against credit reporting agency Equifax, Inc. alleging that it committed fraud in connection with the data breach that resulted in a loss in value of their investments.
Specifically, the shareholders allege that Equifax made multiple false or misleading statements and omissions regarding the vulnerability of its internal systems to cyberattack and its compliance with data protection laws and cybersecurity best practices. The plaintiffs further allege that Equifax had fraudulently stated that it "regularly reviewed and updated its security protocols to ensure that they continued to meet or exceed established best practices at all times."
The judge in the Equifax case found the allegations to be credible and denied Equifax's motion to dismiss the ruling. The judge ruled that the case must go forward to take a deeper look into the cybersecurity measures that were in place at the time of the breach.
This case serves as a warning to businesses that have not conducted a thorough review of their cybersecurity posture, but continue to market themselves as cyber ready.
So what's the answer?
Without an exact definition of what "reasonable" security practices entail, a simpler approach is to evaluate what constitutes a lack of reasonable security. This approach makes it easier for an organization to map data security protection efforts (including privacy and resources) to a known framework.
By using the Center for Internet Security, Inc. (CIS) Critical Security Controls (CSC) as the overall cyber risk authoritative source, one just needs to map any "reasonable" definition to those 20 specifications to attest to its validity and utility.
As major privacy laws are enacted, such as the EU's GDPR, and the California Consumer Protection Act (CCPA), the residual risk definition and determination has become even broader, covering more requirements.
This affects what a reasonable security posture entails, upon which privacy environments are built. Our recommendation to quantify what is reasonable, and what is not, uses the California definition provided in early 2016 by then Attorney General Kamala Harris. While not directly applicable to other states, the recent CCPA law will apply and the California Attorney General's "reasonable" definition will likely be invoked in California court cases involving data breaches.
In 2016, Harris released the California Data Breach Report 2012-2015 which, among other things, states that, "the 20 controls in the Center for Internet Security's Critical Security Controls define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the controls that apply to an organization's environment constitutes a lack of reasonable security."
While the California AG's formal position is not codified, and therefore not binding, this definition of "reasonable security" does appear to strongly suggest that failure to implement all of the CIS CSC that apply to an organization constitutes a lack of reasonable security. Following the CIS CSC approach will codify an organization's risk status based on a known, proven set of requirements that will stand up well in virtually any dispute.
How does implementing the CIS CSC get the organization into a "reasonably" safe and affordable risk posture and then sell that minimal risk environment to company leadership? It codifies your organization's success factors so you can clearly enable them and then select an overall risk framework to assess your environment, determine gaps and propose mitigations for those findings.
The NIST Risk Management Framework (RMF) is a good source for enterprise risk management (ERM), whereas for cyber risks NIST's Cyber Security Framework (CSF) is a solid choice. As for a cybersecurity risk source, the CIS CSC gets you a clear two-for-one benefit – a recognized authoritative source to map your security environment and quantify risks, and a recognized methodology and approach to demonstrate and provide a "reasonable and defendable security posture."
There is minimal downside to using the CIS CSC as those security controls are definitive and actionable from the start and provide a foundational risk posture. That view will support any conflict resolution venue and further the organization's risk management savvy and expertise. Implementing the CIS CSC will show due care in any conflict venue by demonstrating that your organization is practicing cyber due diligence, even if not yet with a fully minimized risk posture.
Correction: In a previous version of this article, the acronym CIS was misidentified. It is the Center for Internet Security.