Why security leaders need to embrace the concept of reasonable security now

Is your security program compliant? Does compliant mean secure? Could you brief the board that you’ve followed all the right steps to protect important company information?

What about broader?

Could you testify in court that your efforts are reasonable?

Vanessa Henri (@_vanessa_henri, LinkedIn)  LL.B., LL.M., Ph.D. candidate and cybersecurity legal expert at Above Security suggests that now is the time to embrace the concept of reasonable security.

Her doctoral work explores the militarization of cyberspace, cyber espionage, and notions of privacy and security. Vanessa is a published author and researcher on the Dark Web, funded by the Quebec Bar Association. She has organized conferences on legal challenges in cyberspace, was director of business development and internal research at a law firm and served as a volunteer for Project Innocence.

She recently presented a webinar on The Developing World of Cyber Litigation and Compliance (link) to introduce and explore these issues.

There is a growing need for executives, officers, and directors to grasp security and lead their organizations. That creates an opportunity for security leaders to provide relevant insights. Sometimes people talk about how compliant may not mean secure. Turns out that in some cases, compliant may not be reasonable, either.

What is reasonable security from a legal standpoint? Is this something that security leaders need to embrace?

The “reasonable” standard in security is essential for executives and directors to master. It’s important because it’s a legal obligation. Laws don’t evolve fast enough to have specific and technical descriptions of what type of intrusion system is required. Instead, they ask to have reasonable measures in place. In the same line of thought, if an organization is accused of being negligent, which was a stated legal theory in 75 percent of American data breach class action litigation in 2015, it can counter-argue that its practices are reasonable.

The key to determine whether a security leader is reasonable is to understand the context. Here are some factors and questions that companies and security professionals should take into consideration:

• How sensitive is the information your entity holds on behalf of users?

• How much information do you have to protect?

• What would be the harm if that information were released?

• Could it go as far as to impact your user’s physical safety (i.e., Ashley Madison data breach)?

• How do you measure against others who are in a similar circumstances?

Reasonable security will often amount to the industry’s standards. If an organization is not following the industry’s standards, then it’s important for its leaders to be prepared to explain why they do this and why it’s reasonable. If a judge is the first person to conduct this analysis for an organization, it’s clear the organization is doing something wrong.

Compliance with security regulations may not be reasonable security from a legal perspective. How’s that work?

As some industries are highly regulated, such as the financial and healthcare sectors, organizations must be compliant to many standards. Compliant organizations will be a step closer to having reasonable cybersecurity. However, some industries are largely unregulated. Take the Ashley Madison case for example. There were no set of standards (i.e., PCI DSS or HIPAA) that applied. From a technical standpoint, the company was compliant, but the practices were not reasonable. And this was contrary to the Personal Information Protection and Electronic Documents Act (PIPEDA), the Canadian privacy act, which specifically requires reasonable safeguards to protect users’ information.

This example showcases the difference between laws, standards and norms. Laws are enacted slowly, even assuming an agreement. So they use larger terms like “reasonable” to evolve with time. Standards are changed more often. NIST, for instance, will updates its standards within a few months. Norms, however, are constantly changing and improving as they are driven by the market and the threat landscape. A reasonable cybersecurity plan is mostly evaluated based on norms. Because of this, there might be a gap between a reasonable cybersecurity plan and an applicable standard, but context may also justify that an entity goes beyond what is required by a norm.

Are there any legal precedents to guide us through this process?

Executives can be held personally responsible for their cybersecurity decisions in a shareholder derivative action in which a shareholder, on behalf of the company, alleges a breach of a duty of care (or that management wasted corporate assets or abused its authority). Companies are expected to take reasonable actions based on the available information, and in the same line of thought, they’re expected to obtain this information by conducting appropriate technical testings (i.e., see Andrew’s webinar on penetration testing). The most common private threat comes from class action lawsuits that can be filed by employees, shareholders or even financial institutions.

In the public realm, regulatory organizations are also increasingly involved in regulating cybersecurity practices. A prominent example is the Federal Trade Commission (FTC), which has filed more than 60 lawsuits by reference to its authority under s. 5 of the FTC Act to protects consumers against unfair and deceptive practices by companies.  This authority was contested by the Wyndham Worldwide Corporation, however, the U.S. 3rd Circuit Court of Appeal has confirmed the FTC’s competence to regulate cybersecurity. Consequently, companies can expect the FTC to be even more active and confident in its enforcement actions.

We see a number of cases get dismissed or settled. How does this impact the case law process and what should we look for?

Class actions lawsuits are meet with mitigated success because the requirements of causation and damages are ill-adapted to the reality of data breach litigation. Causation, for instance, requires more than a coincidence. Yet, individuals routinely give their personal information to many entities, and data breaches occur quite frequently, sometimes even undetected.  As such, it’s challenge for a plaintiff to argue that the alleged damages result from a specific data breach. In addition to this, a plaintiff must prove cognizable damages, meaning that allegations of future injury, absent actual fraud or identity theft, are insufficient.  For these reasons, class actions are often dismissed because they lack standing.

As a consequence, legal precedents are scarce. Even when the facts would justify a trial, the lawsuits are often settles to avoid the uncertainty of the law. Nonetheless, companies would be well-informed not to declare the battle over. There will be a case down the line that will meet these requirements and for which settlement will be unacceptable. There are already signs that the law is willing to evolve to meet the demands of data breach litigation. In Canada, the Ontario Court of Appeal created a new “intrusion upon seclusion” tort, which does not require actual economic damages. In the United States, the 7th Circuit Court of Appeal also reinstated a data breach class action against Neiman Marcus, stating that there was “objectively reasonable likelihood” that identity theft or credit card fraud would occur. If you’re interested in learning more about cyber litigation and legal precedents, watch my Above Security webinar here.

What is the best next step a leader should take today to start preparing for reasonable security?

It’s essential to build communication funnels between departments and to leverage the expertise within an organization. If you have a legal department, consult and  create a plan with its help. For example, a company that operates in the U.S. and becomes a victim of a data breach may have to obey more than 47 different data breach notifications laws, like who should be contacted, when they should be contacted and how. Planning for this the day after a data breach is setting up the company for failure. In addition to internal resources, companies should have a cyber lawyer on retainer for any questions or situations that may arise.

It’s also vital to shift the mindset to prevention, as the concept of reasonable cybersecurity will evolve constantly. Do not aim for compliance, but instead try to anticipate what a reasonable course of action is. If there is a change in the threat landscape, it will be easier (and safer!) to proactively adapt. For instance, there’s currently an increase in mobile attacks through harmful applications. Since many employees access corporate data from their cellphones, organizations should anticipate how the norms, standards and laws are going to evolve to address them. Not only does it make more sense from a security perspective, but organizations that tackle problems early have more time to adjust and fund their initiatives over longer periods of time. Additionally, companies should evaluate financial and human resources. If “reasonable” cybersecurity is not achievable within your own walls, consider collaborating with experts who can assist in mapping a strong security posture.