Most organizations have personal or sensitive data that require protection from potential cyber threats. As data breaches make daily headlines and hackers develop innovative methods to penetrate cyber defenses, organizations should invest in their security posture before a data breach occurs. This is not just important for liability protection, but often, cyber insurance policies require that the insured maintain a minimum level of cybersecurity safeguards for the insurance policy to be valid. The last thing wanted by any organization is to be dealing with the fallout from a breach only to find the insurance provider will not pay out on the policy because the organization did not take “reasonable” steps to secure the data.
The continuing rise of data breaches and cybersecurity incidents has lawmakers and regulators responding with legislation and regulations requiring companies to maintain a minimum standard of “reasonable” cybersecurity measures. What is “reasonable”? The ever-changing cyber threat landscape and the fact that each data breach is unique makes that tough to answer. To avoid liability for negligence, a defendant must show their actions conformed to a standard of conduct equivalent to that of another organization that would be considered reasonable under similar circumstances. Courts commonly look at whether a defendant’s conduct conformed to others who are similarly situated in the same industry and if the potential harm outweighs the burden of implementing the proper measures to prevent such harm.
Many organizations feel cybersecurity measures are too expensive and often rely on the misconception that implementing the same measures as others in the industry is sufficient. However, this practice is extremely risky. These organizations are leaving it to a judge or jury to determine the reasonableness of their cybersecurity posture after an incident has occurred. The very fact that a breach occurred could imply that the organization’s measures were insufficient and, therefore, not “reasonable.”
Given the absence of an exact definition of what “reasonable” security practices entail, the simplest approach is to design your data security protection efforts around a known framework, such as NIST, COBIT, SP 800-53, or ISACA, among others. In early 2016, then-California Attorney General Kamala Harris provided a definition for what is considered reasonable in California in the California Data Breach Report 2012-2015 (the Report). The Report states that the 20 controls in the Center for Internet Security’s (CIS) Critical Security Controls (CSC) define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the controls that apply to an organization’s environment constitutes a lack of reasonable security (pursuant to California’s information security law). The CIS CSC is a nationally recognized set of 20 cybersecurity control measures meant to detect, prevent, respond to, and mitigate damage from cyberattacks.
While the California Attorney General’s position is not codified in law, the recent California Consumer Protection Act will apply this “reasonable” definition, and the California courts will likely use CIS CSC as the industry standard against which to measure organizational negligence in cases involving data breaches with insufficient privacy protections. We would expect insurance companies to use the same standard. California has been the frontrunner in establishing privacy protection regulations, so similar measures will likely appear in other states in the coming years.
The CIS CSC should provide proof of security posture effectiveness in a California court of law. Following this approach will codify the organization’s risk status based on a known, proven set of requirements that will stand up in virtually any dispute (e.g., with any court, a cyber insurance company, partners, etc.). Organizations that have not yet begun a review of their cybersecurity position should engage a cyber-security expert to perform a cyber risk review, which will determine how their organizational controls measure up to the CIS CSC controls for their industry. This information will assist them in developing a roadmap to begin strengthening their posture. The results of these efforts will be a reduction in the likelihood and severity of a breach, as well as a defense against liability when that breach inevitably occurs.
For questions about Windes Cybersecurity services, please call 844.4WINDES (844.494.6337) or email us at advisory@windes.com.