Despite its increasingly common use, the standard of “reasonable” security measures leaves many businesses leaders and their legal counsel puzzled by its purpose and meaning. Policymakers generally use reasonableness as a way to balance their protective goals with everchanging technology and cyber threats by both establishing baseline risk-based program and safeguards requirements and setting expectations that organizations maintain appropriate diligence as the situation evolves.
Business-to-business relationships use a similar approach when setting contract terms across interconnected businesses and supply chains.
The current regulatory landscape
States continue to enact more privacy and data security laws, while Congress focuses elsewhere. These statutes’ objectives range from broadly protecting consumers’ personal information to focusing on higher-risk sectors and shielding well-meaning, diligent companies from certain data breach-related lawsuits.
In the midst of rising cyberattacks, however, demands for “reasonable” data security measures form one common thread across these new mandates and many current regimes. For example, like most sector-specific federal laws, the Federal Trade Commission’s longstanding data security standards under its authority to protect consumers from unfair or deceptive trade practices hinge on reasonableness. Also, the European Union’s General Data Protection Regulation (GDPR) and recent comprehensive data protection laws in US states, like the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act (CPA) take similar views.
Indeed, some 20 states and the District of Columbia appeal to reasonableness in their existing generally applicable personal data security laws.
The White House weighs in
The recent series of ransomware attacks, especially those against critical infrastructure, drove the White House to recently issue a memo to corporate executives and business leaders, urging them to act now to shore up cyber defenses by taking a series of steps, including:
- holding leadership meetings to discuss ransomware threats and review business continuity plans;
- adopting high-impact best practices from President Biden’s Executive Order 14028 on Improving the Nation’s Cybersecurity, such as deploying multifactor authentication, endpoint detection and response, and encryption; and employing and empowering a skilled security team.
- President Biden’s Executive Order 14028
- on Improving the Nation’s Cybersecurity, such as deploying multifactor authentication, endpoint detection and response, and encryption; and employing and empowering a skilled security team.
- backing up data, system images, and configurations, storing backups offline, and regularly testing them;
- deploying patches and updates in a timely and risk-based manner;
- testing incident response plans (which, of course, implies creating and maintaining one);
- engaging in independent cybersecurity assessments; and
- segmenting networks, especially separating corporate business functions and production operations, with limited internet access to operational networks.
The White House recommendations highlight the kind of best practices that many experts consider crucial for any reasonable information security program. The regulatory landscape and cyber threat climate are continually shifting, however, so it’s vital that legal counsel keep up with changes and trends.
Understanding cyber vulnerabilities
To successfully manage cyber risks, it’s important for counsel to understand cyber vulnerabilities. Unlike threats, businesses can generally remediate or at least mitigate their cyber vulnerabilities, which typically include design, implementation, or other oversights that create defects in commercial IT products or internally developed software, often requiring a patch or other update to remediate; and poor setup, mismanagement, or other issues in the way a business installs and maintains its IT hardware and software components.
Other common vulnerabilities that companies must also tackle include:
- gaps in the business processes;
- administrative or organizational weaknesses, such as a lack of user training and awareness or failure to appropriately prioritize and fund security programs;
- poorly designed access controls or other safeguards; and
- physical and environmental issues.
Strategies to manage cyber-risks and support reasonableness
In-house counsel can help their businesses routinely manage cyber risks and avoid attacks, or at least minimize their impact, by developing and maintaining reasonable risk-based information security programs.
Some common strategies for accomplishing this task include:
- performing regular and systematic formal risk assessments that help companies meet the reasonableness standard by identifying, prioritizing, and managing their foreseeable risks;
- recognizing that information security is not a one-time IT project but requires ongoing risk management and attention from a company’s leaders and all workforce members;
- building a sustainable comprehensive program that focuses on people, policies, processes, and tools, including vendor and supply chain risk management, instead of chasing after the latest hyped “solution”;
- prioritizing activities and resources according to risks and benefits; for example, first addressing core measures like those the White House recently emphasized;
- using widely accepted best practices such as those collected in the National Institute of Standards and Technology (NIST) Cybersecurity Framework; and
- National Institute of Standards and Technology (NIST) Cybersecurity Framework
- keeping up with evolving attack trends and known vulnerabilities through trusted sources and cybersecurity information sharing programs.
Despite the apparent increase in high-profile events, most cyberattacks are avoidable with a sound information security program. Well-informed counsel is uniquely positioned to help their business clients understand and manage cyber risks while meeting legal standards for reasonable practices.
Opinions expressed are those of the author. They do not reflect the views of Reuters News, which, under the Trust Principles, is committed to integrity, independence, and freedom from bias. Thomson Reuters Institute is owned by Thomson Reuters and operates independently of Reuters News.