In one form or another, it is more likely than not that your company is in possession of personal or sensitive data that requires some degree of protection from potential cyber threats. With data breaches seeming to make daily headlines, and hackers developing innovative methods to penetrate cyber defenses, businesses must contemplate what “reasonable” security posture it must implement for WHEN, not IF, a data breach occurs. They must then determine how that translates into an adequate due diligence level of security within the confines of organizational responsibility to effectively manage enterprise risks.
Virtually all references to ‘reasonable security’ are high level and vague – the source can’t possibly know the many environments that exist. Instead, only generalizations and risk-based truisms act as guides. Additionally, the cyber risk lexicon differs depending on industry and audience and requires having to decide which framework to follow (NIST, COBIT, ISO, etc)). Thus, it’s no surprise authoritative entities do not want to box themselves in with a specific definition of what constitutes “reasonable” security. Once that happens, resources are required to support that position and defending the many nuances that follow in court cases. Alas, the status quo of vagueness and open to interpretation continues (aka, the proverbial and frustrating “it depends” response).
Given cybersecurity’s complexity, it’s not an easy chore for any regulatory entity to provide actionable security risk guidelines, yet the rest of us need a standard security risk compass. Many guidelines exist (too many in fact – with varying definitions that are part of the definition and scope problem) and some entities are now pointing to them as guides, typically listing several (e.g., the ‘one-size-does-not-fit-all’, so the more they list the better).
For the best approach, let’s explore the potential benefits to choosing just one framework (using a well-known standard) that will be seen as “reasonable” in both a court of law and public opinion.
Determining a Legal Standard of Reasonable Cybersecurity
As data breach and cybersecurity incidents continue to rise, lawmakers and regulators have responded with legislation and regulations requiring companies to maintain a certain threshold of cybersecurity measures to protect sensitive information. Whether these obligations arise under state, federal or international laws; regulations and government enforcement actions or under common law doctrines, all seem to impose a minimum standard of “reasonable” cybersecurity measures. However, without a defined, coherent standard of care to turn to when it comes to implementing cybersecurity measures, companies are left wandering in the wilderness when it comes to compliance with these often ambiguous laws and regulations. Consequently, companies are finding themselves exposed to greater risk of costly litigation, fines and other penalties as data breaches become more commonplace.
Part of the underlying problem with establishing a set cybersecurity duty of care is due to the ever-changing cyber threat landscape and the fact that each data breach is unique. Accordingly, litigation arising from data breaches can be brought in various forms of action. Whether a suit is brought from a regulatory agency such as the Federal Trade Commission or the Securities Exchange Commission, shareholders or a group of individuals, courts engage in some form of analysis on whether or not a company breached some type of duty or failed to apply a reasonable standard of care in protecting sensitive information.
In terms of establishing a standard of care to avoid negligence, the word “reasonable” is somewhat a term of art that has evolved in response to advances in technology. A defendant must show that its actions conformed to a standard of conduct equivalent to that of another that would be considered “reasonable … under like circumstances” to avoid liability for negligence. Courts commonly use a “risk/utility” test to analyze whether a defendant’s conduct conformed to others similarly situated in the same industry and if the potential harm outweighs the burden of implementing the proper measures to prevent such harm.
At its core, the risk/utility formula seeks to determine if the burden of placing adequate precautions in place is less than the potential risk of injury and the gravity of the injury. The use of the risk/utility formula traces back to 1932 in a case involving a group of tug boats that sank during a storm resulting in the loss of its cargo. The plaintiffs alleged that the defendants were negligent for failing to equip the boats with radio receiving sets that would have warned them of the storm and prevented the loss of the cargo. In turn, the defendants argued they were not liable because, at that time, radio receivers were expensive to install and maintain and that the prevailing standard of practice in the industry was that radios were not typically found in tugboats. However, the judge found that although it was not industry custom to install radios in tugboats, the court’s duty is to determine what is required as “there are precautions so imperative that even their universal disregard will not excuse their omission.”
Many companies are comfortable with taking the same approach as the tug boat defendants above: cyber security measures are too expensive, but we should be fine because we implement the same measures as others in the same industry. Yet with the uptick in litigation relating to data breaches (and lack of an established standard of reasonable cybersecurity measures) this practice is nothing short of extremely risky as businesses are hypothetically rolling the dice to have a judge or jury determine the reasonableness of its cyber security posture after an incident has occurred.
For instance, a federal judge in California recently approved a $115 million settlement in a class action lawsuit that alleged health insurer Anthem, Inc. put approximately 79 million consumers’ personal information at risk when its single data warehouse was hacked in 2015. This case highlights the serious financial implications of data breach liability and recognizes that “[t]he extensiveness and adequacy of [a company’s] security measures lie at the heart of every claim.”
Another recent case shows that businesses must also be aware that a “reasonable” standard can possibly be established through marketing campaigns touting its cybersecurity measures. As a result of a data breach in September 2017, shareholders brought a derivative suit against credit reporting agency Equifax Inc. alleging that it committed fraud in connection with the data breach resulting in a loss in value of their investments. Specifically, the shareholders allege that Equifax made multiple false or misleading statements and omissions regarding the vulnerability of its internal systems to cyberattack and its compliance with data protection laws and cybersecurity best practices. The plaintiffs cite several instances of Equifax touting that it “employed a highly sophisticated data information network” when in fact, Equifax had, among other things, had: (1) failed to implement adequate patching processes; (2) failed to create adequate encryption measures; (3) failed to implement adequate authentication measures; (4) failed to establish mechanisms for monitoring its networks for security breaches; (5) stored personal data in easily accessible public channels; (6) relied on outdated and obsolete software; and (7) failed to warehouse obsolete personal information. The plaintiffs further allege that Equifax had fraudulently stated that it “regularly reviewed and updated its security protocols to ensure that they continued to meet or exceed established best practices at all times.” However, Equifax had allegedly fell short of complying with these regulatory requirements.
The judge in the Equifax case ultimately found the allegations to be credible and denied Equifax’s motion to dismiss the ruling that the case must go forward to take a deeper look into the cybersecurity measures that were in place at the time the breach occurred and determine if Equifax had fraudulently over stated the capabilities of its cyber infrastructure to thwart outside threats and attack. This case serves as a warning to businesses that have not conducted a thorough review of their cybersecurity posture, but continue to market themselves as cyber threat ready.
Despite the lack of express authority on what constitutes “reasonable” cybersecurity measures, companies looking to bolster their cybersecurity framework do have some persuasive guidelines that they can turn to while more defined standards work their way through the judicial and legislative systems. Even though not officially codified, the global trend toward a coherent standard of reasonable cybersecurity measures appears to be trending toward the CIS CSC.
However, the industry still needs to have a common definition for ‘reasonable’ to: (1) have an expectation that will build that level of protection and trust in security posture when collectively doing business together, and (2) to demonstrate or prove security risk posture in a dispute resolution (be that in a court of law or otherwise).
Here are our recommendations for a common industry standard with respect to a reasonable cybersecurity risk definition (it is actually a detailed list of ‘specifications’ and goes well beyond just a definition):
So. What’s the answer?
Given the absence of an exact definition of what “reasonable” security practices entails, a simpler approach is to instead evaluate what constitutes a lack of reasonable security. This approach makes it easier for an organization to map their data security protection efforts (including privacy and resources) to a known framework and more effectively quantify the residual risks – the end state that is most useful and uses common risk terminology. By using the Center for Information Security (CIS) Critical Security Controls (CSC) as the overall cyber risk authoritative source, one just needs to map any reasonable definition to those 20 specifications to attest to its validity and utility.
Why did we choose the CIS CSC approach for reasonableness versus others, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) (or for that matter others such as COBIT, ISO27001, HITRUST, etc)? As major privacy laws are enacted, such as the EU’s GDPR, California’s CCPA and other forthcoming regulations, the residual risk definition and determination has become even broader, covering many additional requirements. This translates to what is a reasonable security posture, upon which privacy environments are typically built.
Our proposed method to quantify what is reasonable (or what is not, as in this case), is using the California definition provided in early 2016 by then Attorney General, now Senator, Kamala Harris. While the definition does not apply directly to states outside of California, the recent California Consumer Protection Act (CCPA) will apply and the CA AG “reasonable” definition will likely be invoked in CA court cases involving data breaches with insufficient privacy protections. CA has been the frontrunner in establishing privacy protection (since at least 2003), so both of these measures will likely transition to laws in other states.
On February 16, 2016, Harris released the California Data Breach Report 2012-2015 (the “Report”) which, among other things, provides (1) an overview of the responsibilities of businesses regarding the protection of personal information and reporting data breaches and (2) a series of recommendations for businesses and state policy makers to follow to help safeguard personal information. Importantly, the Report Recommendation states that, ““The 20 controls in the Center for Internet Security’s Critical Security Controls define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement allthe Controls that applyto an organization’s environment constitutes a lackof reasonable security” (pursuant to California’s information security law).” California’s information security statute, Cal. Civ. Code § 1798.81.5(b), requires that: “[a] business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” The CIS CSC is a set of 20 cybersecurity control measures meant to “detect, prevent, respond to, and mitigate damage from cyber attacks.
While the California Attorney General’s formal position is not codified in law, and therefore not binding, this definition of “reasonable security” does appear to strongly suggest that failure to implement all of the CIS CSC that apply to an organization constitutes a LACK of reasonable security.” Because of the utility of the CIS CSC as an authoritative source of “specification level” cybersecurity requirements (that are specific protections to put in place, easily understood and followed), we believe they are the “industry standard” (following the tug boat outcome example) that many are already following, or will follow, thus qualifying as the security risk measures to adopt.
While the other sources mentioned all provide some guidance on what may be considered reasonable security measures, they should be selected for follow-on risk management after the CIS CSC baseline is established and gaps mitigated, with corresponding residual risk levels for each of the 20 security controls. These risk levels can then be used/mapped to the other risk sources. We suggest for many entities that risk framework can be the NIST RMF (Risk Management Framework) (where the others sources are focused on financial, industrial, medical, etc.). The NIST RMF has a lot of support readily available as well and has been updated to use weighted measures to establish levels therein. In short, the CIS CSC should be the initial security risk assessment baseline for most, followed by another authoritative risk source tailored to an industry.
Additionally, the CIS CSC will likely provide what is needed in a California court of law as proof of security posture effectiveness. It is highly probable that other states and probably agencies will follow this path of requiring specific proof of your security baseline to some standard (we believe that will be the CIS CSC as California did, setting a precedent). In any event, following this approach will codify the organization’s risk status based on a known, proven set of requirements that will stand up in virtually any dispute anywhere (e.g., with any court, a cyber insurance company, partners, etc).
The Utility/Benefits of Using CIC CSC Top 20
How does implementing the CIS CSC help in your security quest to get the organization into a “reasonably” safe and affordable risk posture… AND… sell that minimal risk environment to leadership (C-suite, the board, other business units, et.al.)?
The first step would be to assess your organization’s success factors – what matters most to them, so you can clearly enable them (don’t assume these – find them in writing!). Demonstrate how you enable those, from both: (1) an actual cyber risk reduction and the cost avoidance therein (some can be huge – Ponemon’s data breach average cost is $7.8 million for USA businesses and some go out of business (almost 60% of SMBs do within 6 months of a breach) and (2) the freedom that a minimized environmental risk posture then allows the business units to take other calculated opportunity risks and enhance innovation, etc.
The next step would be to select an overall risk framework to assess your environment, determine gaps, and propose mitigations for those findings. As suggested earlier, the NIST RMF is a good source for enterprise risk management (ERM) while the NIST’s CSF is a solid choice for cyber risk (once you have the basics mastered, which is where the CIS CSC comes in). As for a cybersecurity risk source, the CIS CSC gets you a clear two-for-one benefit – a recognized authoritative source to map to your security environment and quantify risks, and a recognized methodology and approach to demonstrate and provide a “reasonable security posture” in any dispute venue, including most, if not all, U.S. courts.
Once a CIC CSC risk foundation has been established, moving to managing the next security risk level is much easier. You will have specific risk levels already established, albeit more technically based for the most part. The higher level risk sources tend to go into the more holistic aspects of cyber risk and be “objective oriented” versus the ‘specification” level of CIS CSC. This will therefore make those residual risk determinations easier with the CIS CSC as a background and reference guide. The risk determinations from these higher level sources will also be more directly mapped to the organizational success objectives, making an easier sell to leadership than just the CIS CSC alone (though as foundational risk items, like cyber hygiene, encryption, etc, they must be championed as well). These risks will also be more readily integrated into an overall ERM approach, which every organization needs. An overarching GRC view is also recommended (Governance Risk (management) and Compliance), where the benefits, costs and risks of all efforts can be weighted on a common scale for overall business utility.
There is little (if any) downside to using the CIS CSC as those security controls are definitive and actionable from the start, providing a foundational risk posture. That view will support any conflict resolution venue (arbitration, courts, etc) and further the organization’s risk management savvy and expertise (both in source chosen (NIST, COBIT, etc) and integrating into an ERM effort). From there, you will need to ensure you have a risk-based enterprise security strategy to manage and account for the many business variables, threat vectors, resources, etc., that that need to be assessed in the cyber risk equation. The only certainty is change, including the bad guys getting better and faster than we do as a community.
As NIKE stated – just do IT! In this case, adopting the CIS CSC, having a plan and starting to implement it will gain mileage in any conflict venue (as you are then practicing due diligence, even if you are not yet fully operational with a minimized risk posture).