Recent developments and news on ‘reasonable security’ Understand how these updates may impact your risk and security strategies.
Attorney General Bonta Emphasizes Health Apps’ Legal Obligation to Protect Reproductive Health Information | State of California Department of Justice
“Health apps must also comply with California law requiring a business to implement and maintain reasonable security procedures and practices to protect personal information, including medical information, from unauthorized access, destruction, use, modification, or disclosure.”
Data breach class actions: Southern District of New York dismisses action against health care providers for lack of standing | JD Supra – Kilpatrick Townsend Stockton LLP
“Plaintiffs alleged that ‘they would not have used defendants’ services had they known defendants did not employ reasonable security measures’”
U.S. Children’s Privacy Law Update | JD Supra – Husch Blackwell LLP
“Security Requirements: Companies must have procedures in place to maintain the confidentiality, security, and integrity of children’s personal information. Even absent a data breach, companies may violate COPPA if they lack reasonable security.”
And Then There Were Five: Connecticut Adopts Comprehensive State Privacy Law | Wiley
“Obligations on Data Controllers. Under the CTPDA, controllers of personal data are subject to a number of duties, including obligations to: … Maintain reasonable security practices regarding personal data;”
FTC Adopts Policy Statement Regarding Increased Scrutiny of COPPA Violations Involving Children’s Privacy | JD Supra – Balch & Bingham LLP
“Security Requirements. COPPA-covered companies must have procedures to maintain the confidentiality, security, and integrity of children’s personal information. A COPPA-covered company’s lack of reasonable security can violate COPPA even absent a breach.”
Security Beyond Prevention: The Importance of Effective Breach Disclosures | FTC
“The FTC has long stressed the importance of good incident response and breach disclosure as part of a reasonable information security program, both through cases and business guidance resources.”
“Both security breach detection and response are vital to maintaining reasonable security.”
You looking at me? — cameras, devices and biometric data | Reuters – Davis+Gilbert LLP
“Although it remains to be seen how such legislation will change the industry’s use of and reliance upon biometric data, that it is increasingly the subject of analysis and discussion indicates a demand and a need for reasonable security and privacy practices around the collection and processing of biometric data, whether required by law or not.”
Connecticut becomes the fifth state to enact a comprehensive data privacy law | JD Supra – Eversheds Sutherland (US) LLP
“Data security requirements
All of the state data privacy laws include requirements around data security. Under the CTDPA, controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.”
Connecticut becomes the fifth state to enact a Bill Introduced that Seeks to Improve Medical Device Cybersecurity | HIPAA Journal
“The bill also calls for manufacturers of medical devices to provide a cyber device software bill of materials in the labeling that states all commercial, open-source, and off-the-shelf software components that have been used in the devices, and manufacturers will need to comply with other requirements that may be introduced, such as being able to ‘demonstrate reasonable assurance of the safety and effectiveness of the device for purposes of cybersecurity.’”
Trends in Privacy Laws Around the U.S.: A Look at the Pending N.C. Consumer Privacy Act | JD Supra – Cranfill Sumner LLP
“CPA will also require businesses to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.”
FDA user-fee legislation carves out baseline for medical device cybersecurity | SC Magazine
“Namely, it would require any manufacturer issuing a premarket submission of a cyber device to include information relevant to ensuring the device meets cybersecurity requirements, deemed “appropriate to demonstrate a reasonable assurance of safety and effectiveness” by the secretary of Health and Human Services.”
Data Breach Suit Targets Consultant | National Association of Plan Advisors (NAPA)
“’Defendant did not use reasonable security procedures and practices suitable or adequate to protect the sensitive, unencrypted information it was maintaining for customers, causing the unauthorized exfiltration of the PII of more than 2,500,000 individuals,’ according to the suit (Greg Torrano v. Horizon Actuarial Services LLC, case number 1:22-mi-99999, in U.S. District Court for the Northern District of Georgia) against consulting firm Horizon Actuarial Services LLC. “
FTC Enforcement Highlights the Importance of Preserving Privacy in AI Development: How to Avoid AI Model Destruction | National Law Review – Epstein Becker & Green, P.C.
“The FTC has pursued investigation and cases involving companies based on allegations related to failures to: (1) sufficiently notify consumers about privacy practices; (2) adhere to representations made in privacy policies; and (3) implement reasonable security safeguards to protect PII.”
Two States Enact Insurance Data Security Laws | National Law Review – Hunton Andrews Kurth
“The new laws establish data security obligations for insurance carriers and generally require carriers to take the following actions, subject to certain exemptions:
- … Stay informed of emerging threats and vulnerabilities, and use reasonable security measures when sharing information;
- Obligate service providers to implement and maintain appropriate data security measures; …”
Complaint Dismissed Where Hacker-Induced Wire Transactions Authorized by Bank’s Customer | JD Supra – Troutman Pepper
“The court found that even though the customer was tricked by a fraudster into initiating the transfers, the wires were authorized by the customer’s account manager who approved and confirmed the transactions. The court concluded that the question of whether the bank complied with commercially reasonable security procedures under Uniform Commercial Code Section 4A-202(2) is not reached if the transfers are authorized.”
More Lawsuits Are Being Filed Under California’s Influential Consumer Privacy Law | Treasury & Risk
“Under the law, which gives California consumers a number of unprecedented data protections—including the right to know what personal data businesses have collected on them and the right to prohibit the sale of that data—plaintiffs are permitted to bring a civil action only if their personal data is breached due to a business failing to implement reasonable security procedures and practices.”
Developer workflow for software supply-chain security is in high demand | TechRepublic
“The software development and deployment supply chain is quite complicated, with numerous threats along the source ➞ build ➞ publish workflow,” said Lewandowski, in a blog post describing the general lack of a toolchain for developers locking down software artifacts. “While point solutions do exist for some specific vulnerabilities, there is no comprehensive end-to-end framework that both defines how to mitigate threats across the software supply chain, and provides reasonable security guarantees.”
Reasonable Security Resources
In Archive360’s Podcast Episode 29: What is “Reasonable Data Security”?, Bill Tolson and Chris Cronin, Partner, Governance and Engineering Practice at HALOCK Security Labs try and define “reasonable data security” – a term that continually appears in every states’ privacy law or proposed legislation.
PODCAST: Cybersecurity Where You Are, co-hosts Tony Sager and Sean Atkinson are joined by Chris Cronin, ISO 27001 Auditor and Partner at HALOCK, a leading information security consultancy. Their discussion focuses on “reasonableness” as it relates to cybersecurity risk management.
RIMS: RiskWorld Recording: Reasonable Security & The Questions a Judge Will Ask You After a Data Breach In post-data breach litigation, you must demonstrate due care and reasonable control. Learn what basic questions the court will ask and how the duty of care risk assessment (DoCRA)—based on judicial balancing tests and regulatory definitions of reasonable risk—helps you answer them.
HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.