What is ‘reasonable cybersecurity’?

State and local government policies often require organizations to implement “reasonable cybersecurity,” without specifying exactly what it entails. That ambiguity can leave systems underprotected and fuel lawsuits over data breach liability.

A new guide from the Center for Internet Security provides a framework organizations can use to meet a standard of reasonable cybersecurity that provides the dual benefit of better security and less litigation.

Released in May, the Guide to Defining Reasonable Cybersecurity is the result of a collaboration between technologists at the center and legal experts. It has several goals. One is to define reasonable cybersecurity, and, absent a federal law that does that, states have been creating their own.

The guide defines reasonable cybersecurity as “measures that are intended to protect against the loss, misuse or unauthorized access to, or modification of, information or data—based on the appropriate standard of care of how a reasonably prudent person in the same or similar circumstances would act.” Considerations include organization size and complexity, the nature and scope of its activities, the sensitivity of the information to be protected, and the cost and availability of tools to improve information security.

The guide highlights the work of six states that are leaders in authoring safe harbor laws, which state that public and private entities can’t be held liable for data breaches when they can prove that they have taken standard protection measures.

“What the states have done is say, ‘If you implement just one of several frameworks that [we’ve] identified in the statute, then we will give you a safe harbor,’” said Curtis Dukes, a report coauthor. “It doesn’t mean you’re not going to be hauled into court. It just means that if you can demonstrate that you’ve selected a framework, you've actually implemented that framework and [have] the artifacts that prove [it] … the court will take that into consideration and say, ‘You’ve met the reasonableness test and we’ve excused any liability concerns for you.’”

Ohio was the first to implement a safe harbor law in 2018. Utah and Connecticut quickly followed. Today, Florida, Iowa and Nevada also have safe harbor provisions. They are all very similar in scope, Dukes said, except for Connecticut, where its “Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” puts a cap on liability claims.

Another aim of the guide is to reduce litigation because currently, lawsuits regarding data breaches require proof of negligence. “Usually, that means the plaintiff would hire a cybersecurity expert who would testify that what the company provided was not reasonable (i.e., was lacking some key security capabilities or practices), and the company, in turn, would hire its cybersecurity expert who would testify that what the company provided was reasonable,” the report states.

Nationally applied reasonable cybersecurity standards would remove that element of opinion, incentivizing organizations to beef up their security, which would also boost trust among consumers.

Tangentially, meeting the standards could help organizations obtain cybersecurity insurance. “The underwriters, they have been moving towards forcing improvement on cybersecurity by only offering coverage if you meet a minimum standard of cyber hygiene … and offering discounts if you actually can demonstrate you’ve adopted those controls and procedures,” said Dukes, who’s also executive vice president and general manager for security best practices at the Center for Internet Security. “I believe that the insurance industry was already moving towards also establishing a guide, a set of best practices. My belief is, instead of another set of best practices … they ought to just adopt one or several that point back to the existing cybersecurity framework.”

This way, when a breach happens, insurers can see that reasonable steps were taken and pay out the claims.

Similarly, standardization could help with ransomware payment decisions. “If you attach this to a safe harbor law, where you’ve actually implemented a framework and you suffer through a ransomware event, then it should give you the legal safe harbor from litigation,” said Dukes.

All 50 states have security breach notification laws that require organizations to notify consumers or citizens if their personally identifiable information is breached. The safe harbor standards go a step further by making data security requirements part of broader consumer data privacy statutes.

Dukes said he believes there will be a federal law regarding reasonable cyber standards in the next three to five years. He said he sees evidence in efforts such as the National Cybersecurity Strategy and the Center for Internet Security’s own Critical Security Controls, a set of best practices for boosting protections.

The government is “shifting the liability burden away from the consumer and squarely starting to put it onto the vendor,” he said. “Everything from a liability perspective is moving…. You need to adopt a cybersecurity framework and implement it, you need to now follow secure by design, secure by default best practices.”