Reasonable Cybersecurity

Reasonable cybersecurity refers to measures that are intended to protect against the loss, misuse, or unauthorized access to, or modification of, information or data based on the appropriate standard of care of how a reasonably prudent person in the same or similar circumstances would act.   Considerations include but are not limited to the:

• Size and complexity of the organization
• Nature and scope of the activities of the organization
• Sensitivity of the information to be protected
• Cost and availability of tools to improve information security and reduce vulnerabilities
• Resources available to the organization

Why Is Reasonable Security Important?

The U.S. federal and state governments have various statutes, regulations, caselaw, and enforcement actions that impact cybersecurity.  These include incident notification and data privacy laws, as well as “safe harbor” provisions to encourage the voluntary adoption of "reasonable" cybersecurity. However, none include a definition that adequately describes what organizations need to do to achieve reasonable cybersecurity. 

The Benefits for Businesses

In the absence of a clear understanding of reasonable cybersecurity, organizations can be uncertain about specifically what they need to do to comply with a state data privacy law or any requirement mandating reasonable security. This can be especially difficult if organizations operate across state lines. To satisfy the language of each applicable state data privacy law, organizations could find themselves confused about how to proceed, or implementing redundant security measures, wasting time and money while possibly not achieving the desired protections of their networks and their consumers’ privacy information.

A definition for reasonable cybersecurity also helps to better clarify organizations' liability in the event of a data breach. If an organization experiences a breach and can't provide evidence that they've implemented the security measures that fall under the definition of reasonable cybersecurity, a court may find them liable under the law of negligence, thus exposing them to lawsuits and other damages from their customers.

What Does Reasonable Cybersecurity Mean for Consumers?

With a clear definition of what they need to do to comply with state data privacy laws, organizations can more easily take foundational steps to protect their consumers' personally identifiable information (PII). If consumers know what constitutes reasonable security, they are more likely to inquire about the level of security that an organization deploys to protect their PII.

How Defining Reasonable Security Helps the Legal System

Today, negligence claims under the common law of various states have become a frequent basis for data breach-related litigation. These types of common law negligence claims often require proving that the person or organization that held the data that was breached both owed a duty of care to the person claiming negligence and failed to exercise a standard of care that a reasonable person would provide. Without a model of what this standard of care entails, judges can only rely on their own subjective understanding of cybersecurity, however limited, to rule on each claim. They can't ground their rulings in an established definition of reasonable cybersecurity from a trusted source.