What in-house lawyers need to know about “reasonable” data security
States continue to enact more privacy and data security laws, while Congress focuses elsewhere. These statutes' objectives range from broadly protecting consumers' personal information to focusing on higher-risk sectors and shielding well-meaning, diligent companies from certain data breach-related lawsuits. However, in the midst of rising cyberattacks, demands for "reasonable" data security measures form one common thread across these new mandates and many data compliance regulations.
For example, the Federal Trade Commission's (FTC) longstanding data security standards under its FTC Act Section 5 authority to protect consumers from unfair or deceptive trade practices hinge on reasonableness. The EU's General Data Protection Regulation (GDPR), recent comprehensive state laws like the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (CCPA/CPRA) and the Virginia Consumer Data Protection Act (VCDPA) take similar views. So do many other laws and data compliance regulations, including some 20 states and the District of Columbia with their existing generally applicable personal data security laws.
So why reasonableness and what does it mean?
As in-house counsel, you should know that despite its increasingly common use, the reasonableness standard leaves many businesses and their leaders puzzled by its purpose and meaning. Policymakers use reasonableness to balance their public policy goals, such as incentivizing companies to make investments and maintain their vigilance, with everchanging technology and cybersecurity threats by:
- Establishing baseline program and safeguards standards, typically using a risk-based approach
- Setting general expectations for maintaining appropriate diligence as the situation evolves
Business-to-business relationships use similar approaches for setting contract terms across interconnected business communities and supply chains. GCs’ can help the business create reasonable security measures by first helping them understand their cyber risks.
Understanding cyber risks, vulnerabilities, and the attack threat
Cyber threats coupled with a business’ unique vulnerabilities form its cybersecurity risk profile. Managing cyber risks requires businesses to understand and continually monitor both these elements. Cyberattacks continue to evolve but generally fall into four categories:
- Direct attacks on information technology (IT) infrastructure. Here, cyberattackers directly exploit hardware, software, or network vulnerabilities to gain unauthorized access, exfiltrate data, deny service, or wreak other havoc. Traditional hacking and network intrusions are common examples.
- Direct attacks on users and human interaction points. These attacks exploit human weaknesses, such as a willingness to open urgent looking emails, click on enticing links, or respond to veiled threats. Poor user authentication practices, such as failing to use multifactor authentication in lieu of reusable passwords, is another example. Ransomware and other destructive malware often enter organizations through these attacks.
- Indirect attacks on a business’ service providers. Cyber attackers frequently target the service providers that companies grant continual IT access to outsource business functions to reach their ultimate target. For example, smaller or less sophisticated service providers may offer a path to high-value targets with otherwise strong security controls.
- Indirect attacks on a business’ supply chain. These highly sophisticated attacks compromise suppliers' development or manufacturing environments to create vulnerabilities or insert malware in IT hardware or software. Attackers then exploit downstream customer organizations that install and use these products, even if they do not maintain an ongoing online connection to the supplier.
Each attack category demands its own, often overlapping countermeasures. Companies must also consider both internal and external threat actors as potential attack sources. Unfortunately, even as attacks grow in number and complexity, businesses still often fall victim to well-known and avoidable direct attacks by failing to remediate vulnerabilities. Unlike threats, companies can often directly control their vulnerabilities, which are weaknesses or other conditions that a threat actor can exploit to adversely affect a business’ data security.
Cyber vulnerabilities typically include a subset of those weaknesses and focus on:
- Design, implementation, or other oversights that create defects in commercial IT products or internally developed software, often requiring a patch or other update to remediate.
- Poor setup, mismanagement, or other issues in the way a business installs and maintains its IT hardware and software components.
Other common vulnerabilities that companies must also tackle include:
- Gaps in business processes
- Administrative or organizational weaknesses, such as:
a) a lack of user training and awareness
b) failure to appropriately prioritize and fund security programs
- Poorly designed access controls or other safeguards
- Physical and environmental issues
Performing regular and systematic formal risk assessments helps companies meet the reasonableness standard by identifying, prioritizing, and managing their foreseeable risks.
Recent White House guidance encourages a risk-based approach
The recent series of ransomware attacks, especially those against critical infrastructure, drove the White House to issue a memo to corporate executives and business leaders in early June 2021, urging them to take the threat seriously and act now to shore up cyber defenses by:
- Holding leadership meetings to discuss ransomware threats and review business continuity plans.
- Adopting high-impact best practices from President Biden's recent Executive Order 14028 on Improving the Nation's Cybersecurity, including:
a) deploying multifactor authentication, endpoint detection and response, and encryption
b) employing and empowering a skilled security team
- Backing up data, system images, and configurations; storing backups offline; and regularly testing them.
- Deploying patches and updates in a risk-based manner.
- Testing incident response plans, which implies creating and maintaining one.
- Engaging in independent cybersecurity assessments, such as using third-party penetration testers.
- Segmenting networks, especially separating corporate business functions and production operations, with limited internet access to operational networks.
The White House recommendations highlight best practices that many experts consider crucial for any reasonable information security program.
Defeating the threat with reasonable data security measures
In-house counsel can help their companies to routinely defeat cyber threats by developing and maintaining reasonable risk-based information security programs. Some common strategies include:
- Recognizing that information security is not a one-time IT project but requires ongoing risk management and attention from a company’s leaders and all workforce members.
- Building a sustainable comprehensive program that focuses on people, policies, processes, and tools, including vendor and supply chain risk management, instead of chasing after the latest hyped "solution."
- Prioritizing activities and resources according to risks and benefits. For example, first addressing core measures like those the White House recently emphasized.
- Using widely accepted best practices such as those collected in the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
- Keeping up with evolving attack trends and known vulnerabilities through trusted sources and cybersecurity information sharing programs.
By following the strategies outlined above, GC can help their companies maintain reasonable data security, thereby improving their defenses against future cyberattacks.