It’s fair to say that two adversaries contribute to the costs of cybersecurity incidents: the attackers and the lawyers. On February 16 the lawyers became your allies.
When I say “attackers” I mean anyone from state actors to someone at the office making a mistake when they’re just trying to do their job. And the “lawyers” are regulators, judges, and litigators. After getting hit by the first group, you know to expect more pain from the second.
And boy, does that second round of pain hurt! According to the NetDiligence Cyber Clams Study in 2020, the lawyers create the largest portion of costs that follow a data breach. About 55% of cybersecurity insurance claims paid to small and medium-sized businesses went to liability related costs (fines, settlements, and attorneys’ fees) while 45% paid for crisis services (such as incident response, forensics, and identity protection). For large organizations the difference was more striking. Sixty-six percent of claims payments to large organizations paid for liabilities while 33% paid for crisis services.
When an organization has been breached regulators and litigators alike question whether the victim’s organization applied due care to protect those who were harmed. Organizations that fail to demonstrate that their controls were reasonable fare poorly in their defense and pay significant costs for defense, fines, and settlements. Organizations that can demonstrate that their controls were reasonable … even if those controls failed when hackers attacked … are harder to go after.
The good news is that the lawyers have just switched sides from being your adversary to being your ally. The Sedona Conference – an influential think tank that advices attorneys, regulators, and judges on challenging technical matters – just released its Commentary on a Reasonable Security Test. The Commentary is the first document of its kind that provides the legal community with a clear definition of a “reasonable” security control. This document is a holy grail, of sorts, for cybersecurity. It provides a rule and calculation that helps lawyers know after-the-fact whether an organization provided due care in protecting breached data (presumably it would work for any type of impact, not just confidentiality impacts).
The Sedona Conference’s test is based on the same principles that inform Duty of Care Risk Analysis (DoCRA) that HALOCK developed with Center for Internet Security. DoCRA and CIS RAM provide the information security community with instructions for conducting risk assessments that business executives, litigators, and regulators understand. The Sedona Conference paper simplifies DoCRA with a simple equation
B2 – B1 < (L x I)1 – (L x I)2
It simply means that the increased burden posed by a reasonable control is less than the risk it reduces.
Organizations with foresight will realize the Sedona Conference paper as a litmus test for their cybersecurity and privacy programs. Organizations can use the calculus before a security incident to find their unreasonable controls and address them so they are reasonable; not perfect … but reasonable.
So the lawyers just gave us the key to reasonable security controls. If you choose to use it now – before a security incident occurs – the lawyers are your ally. If you don’t, then that second round of pain is going to hurt.