Many privacy laws require that organizations implement “reasonable security”. There have been many definitions of reasonable security. The Sedona Conference issued a final commentary on reasonable security for personal information on February 17, 2021. This definition is likely to be accepted by courts and other adjudicators across the US. It is based on a cost-benefit analysis of safeguards implemented by an organization at the time of a data breach. The intended audience for this document includes security and privacy attorneys, board members and organization executives, data privacy officers and chief information security officers.
The Reasonable Security Puzzle
“Reasonable security” has been a puzzle. Many Federal and State laws about personal information require implementation of reasonable security of that personal information. HIPAA now requires reasonable security. The California Consumer Privacy Act, CCPA, requires reasonable security practices and procedures. The FTC has fined businesses that have failed to implement reasonable security following some data breaches. Security experts and CISOs have attempted to define reasonable security. In 2016, the Attorney General for the state of California the CIS Top-20 controls to be the minimum required for reasonable security. But a definition of reasonable security that could withstand legal scrutiny did not exist until now.
Reasonable Security requires more than a list of technical safeguards
The challenge has been that laws that require any “reasonable” behavior are based on a definition of negligence and duty of care – not administrative, technical or physical safeguards. There has been a legal test for negligence, called the Hand Rule or calculus of negligence since 1947. But, that calculation, which is based on a cost-benefit analysis was not extended to security for personal information until now. This changed with the Sedona Conference working group 11 publishing its final public commentary on the test for reasonable security on February 17, 2021. The Sedona Conference working groups are comprised of judges, litigators and other experts. Sedona Conference working group publications have defined standards adopted by courts across the US since 2002. That is why this publication of a test for reasonable security is so significant.
The Test for Reasonable Security
The Sedona Conference reasonable security test compares the net burden on the organization of implementing safeguards that would have protected those impacted beyond what they had implemented prior to a data breach. The organization would be considered negligent if this net burden is less than the net impact to all data breach victims of the existing safeguards vs having implemented improved safeguards against known threats. The commentary explores various issues raised by the test and what is not considered relevant to the test. But the test is about whether the organization measured risk and applied appropriate safeguards (administrative, technical and physical) to protect others. It’s only relation to a specific set of technical controls is whether commonly used controls for an industry were ignored causing a plaintiff to prove that this was a reasonable thing to do.
Here is a link where you can download the full Sedona Conference Commentary on a Reasonable Security Test.
How to ensure that you have implemented Reasonable Security
The key to ensuring that your organization can show evidence of having implemented reasonable security is regular risk assessments. Regularly scheduled risk assessments are a component of both the NIST framework and the ISO security framework. In risk assessments, one identifies the assets to be protected, the risks to those assets and defines safeguards that will be used to mitigate risk. But most organizations only consider the risk to themselves. The test for reasonable security requires that one also measure the risk to others, e.g., potential victims of a data breach. After measuring risk to the organization and risk to others, one can apply the reasonable security test to show that the organization would not be considered negligent given current knowledge of risks and the safeguards applied. The NIST Risk Management Framework (800-37 RMF) and other risk assessments need to be extended by practitioners if they are to be used to test for reasonable security. The CIS Risk Assessment Methodology includes a test for reasonable security.
If your organization ever has a data breach, it will be important to be able to show that you regularly evaluated risks and safeguards, at least as often as your security policy required it to be done. This effort shows that you value the protection of others. The foundation of reasonable security is to be both reasonable to others but also to the business. The test for reasonable security defines a limit on burden to the business. Please contact us if you would like to discuss more detail on this.
Learn more about
A side note: Vulnerability Assessments are not Risk Assessments
Vulnerability Assessments are tests that determine whether software and hardware systems have known security flaws. These are important to help identify some of the risks to assets. But threats to business processes and assets originate from many sources that are not necessarily associated with technical vulnerabilities. Examples include compromised logins/passwords, phishing, improperly configured WiFi, sharing of unencrypted personal information over email and insider threats. It is important, but not sufficient to do vulnerability tests.