No organization can achieve airtight, hermetically sealed security, so the legal standard for compliance with most data security regulations is that the security measures in place be “reasonable.” But what does that mean? The Sedona Conference’s Working Group 11 on Data Security and Privacy Liability published a Commentary in 2021 that evaluates what “legal test” a court or regulatory body should apply, or what other approach it should follow, where the issue is whether the organization has met that legal obligation. A Contributing Editor to the Commentary will summarize its main points and address your questions.
- How to define reasonable security for your organization
- Using “reasonable” to manage risk and compliance
- Using “reasonable” to defend your security when things go wrong
Key Takeaways from this Presentation
For two decades U.S. law has frustrated organizations by requiring that cybersecurity and privacy controls be “reasonable.” Regulators and litigators have signaled that if we could demonstrate this elusive standard that they would nod and let us pass after personal information was breached on our watch. But neither business nor regulators could articulate what “reasonable” meant, leaving organizations frustrated, confused, and fined, and the lawyers, once again, blamed. This session will demonstrate the Test for Reasonable Security in a way that IG, legal, cybersecurity, compliance, and privacy officers will be able to use in their own environments.
SPEAKER: Chris Cronin