The topic of “reasonable security” remains a key focus for boards of directors and executive leadership—notably for entities in California subject to the California Consumer Privacy Act’s (CCPA) “reasonableness” standard or publicly traded firms based on the US Securities and Exchange Commission’s proposed rules on cyber risk disclosures. But what does reasonable security really mean? It depends on whom you ask.
Justine Phillips, a partner and cyber attorney with DLA Piper, and Matt Stamper, a multi-time CISO and CEO of Executive Advisors Group, provided the following definition in their book, Data Privacy Program Guide: How to Build a Privacy Program That Inspires Trust: “Reasonable security is that level of security capability that meets the organization’s agreed-to risk tolerances while fulfilling regulatory requirements and the contractual obligations of the organization.”
Phillips says the concept of a “reasonable” person standard came on the legal scene to help jurors determine whether a defendant acted negligently. “One behaves negligently if they act in a way contrary to how a reasonably prudent person would have acted under similar circumstances. The standard holds that each person owes a duty to behave as a reasonable person would under the same or similar circumstances.”
In other words, to demonstrate “reasonable security,” a business must offer evidence proving it fulfilled its duty to consumers by building a defensible security program.
Reasonable Security: Building a Security Program That Inspires Trust
Determining what is reasonable is a moving target due to many factors, including complex attacks deployed by nation-state actors, evolving technologies, and the inherent insecurity in our supply chain. This begs the question: Can a business that has been breached prove it had reasonable security practices?
“The answer is yes, so long as the business documents its ‘reasonableness’ in a defensible manner,” says Phillips. Evidence of a defensible data security program includes thoughtful and documented administrative, technical, and physical safeguards. “For example, conducting vendor assessments and diligence to ensure the third parties and businesses that host your data are also secure. Or having an independent third party conduct an annual security audit. Remediating vulnerabilities discovered during the audit, or at least documenting why the expense associated with the improvement is too tremendous, and working it into a longer-term plan, is very important. Reasoned decisions about implementing security measures take into account the benefits, risk, and costs not only to the business but also to consumers and other stakeholders.”
A Holistic Approach to Reasonable Security
Stamper recommends a holistic approach to reasonable cybersecurity, noting that numerous factors should be front and center as organizations evaluate their security programs, including risk analysis, access management, security awareness and training, incident response, patching and vulnerability management, and the technology stacks of given applications or systems.
According to Stamper, “A foundational element of any reasonable security program is to understand how access to business processes, applications, and IT systems is governed and managed throughout an organization. Three fundamental principles should inform this effort: ‘need to know,’ ‘least privilege,’ and ‘separation of duties.’ Reasonable security requires that access rights be documented, reviewed (at least annually, but ideally quarterly), and adjusted based on common circumstances, such as onboarding a new employee or contractor.”
The Future of Reasonable Security
“The law is like the slow-moving tortoise, and the technology and adversaries are the hares,” says Phillips. “Laws are hesitant to clearly define what it means to act reasonably because the legislators are not typically cybersecurity experts, or by the time the law is published, the technology has changed so dramatically that the law is outdated. Regardless of precedent or regulator-defined minimum reasonable security, what is reasonable is ultimately what your customers expect.”
“Justine and I are extremely excited to be instructing live on the topic of reasonable security at RSAC,” says Stamper. Learn more during tutorials and trainings at RSA Conference 2023. Conducted by leading associations, such as InfraGard National Members Alliance, SANS Institute, CSA, FAIR Institute, and ISC2, these courses offer intensive, hands-on instruction on a variety of cybersecurity topics.