An update on ‘reasonable security’ and how it impacts your risk and security posture.

More lawsuits filed against QRS, Sea Mar, TTEC after separate data theft incidents

SC Magazine

“QRS is facing another class-action lawsuit tied to a November 2021 systems hack and data theft impacting 319,778 patients.” “The victims claim that the breach could have been prevented if the entities limited the amount of patient information shared between them and employed “reasonable measures” to ensure business associates implemented basic, adequate security protocols to secure patient data.”

 

 

Sea Mar Community Health Centers Faces Lawsuit Over Data Breach

HealthITSecurity

“The Data Breach was a direct result of Defendant’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect patients’ and employees’ Private Information,” the filing stated.

 

New Model Code For Personal Data Protection Is Better Than GDPR

Forbes

A Risk-Based Approach – Uniform Personal Data Protection Act (UPDPA). The Act applies fair information practices (FIPPs) for collection and use of personal data, provides reasonable levels of consumer protection without undue cost to regulators or business, and defines compatible, incompatible, and prohibited use of data. 

 

Colorado Privacy Act Continues Countdown to 2023 Effective Date

Holland & Knight

“enforcement of the CPA’s provisions and other Colorado laws requiring businesses to take reasonable measures to secure personal information.”

 

Code Blue on Healthcare Applications

Security Boulevard

“The FTC expects app developers to adopt and maintain reasonable data security practices and doesn’t prescribe a one-size-fits-all approach.”

 

Colorado AG Issues Guidance on Data Security Best Practices

National Law Review: Sheppard Mullin Richter & Hampton LLP.

‘guidance was issued in response to companies asking what “reasonable” security means.’

 

Jump in Facial and Voice Recognition Raises Privacy, Cybersecurity, Civil Liberty Concerns

JacksonLewis

“there are a myriad of data destruction, reasonable safeguards, and vendor requirements to consider, depending on the state, when collecting biometric data.”

 

Privacy and Security Enforcement: State AGs Flex Their Muscles

JDSupra: Wilson Sonsini Goodrich & Rosati

“Make sure you have a reasonable security program, with administrative, technical, and procedural safeguards. That means designating someone in charge, writing down your program, conducting a risk assessment, and mitigating risks through administrative policies, training, and technical measures.”

 

Uniform Law Commission Proposes “Reasonable” Uniform Personal Data Protection Act for State-by-State Adoption as Federal Privacy Bills Languish

Sidley

the model law “provides a reasonable level of consumer protection without incurring the compliance and regulatory costs associated with some existing state regimes.”

 

Data Privacy Laws: Five to Look Out For in 2022

Inside Indiana Business: Ice Miller

reasonable security procedures”, “reasonable security measures”, “reasonable administrative, technical, and physical data security practices”

 

NYS Attorney General reaches settlement agreement with EyeMed over data breach

WGRZ.com

“Maintaining reasonable account management and authentication” and “Conducting a reasonable penetration testing program designed to identify, assess, and remediate security vulnerabilities within”

 

Marietta Healthcare to Face HIPAA Complaint

Law Street Media

“The negligence count alleges a breach of the duty of care to use reasonable security measures to protect data; the negligence per se count alleges that the failure to employ reasonable security measures constitutes a violation of the Federal Trade Commission Act”

 

Comparing Florida’s Two Leading Privacy Bills

Shook, Hardy & Bacon L.L.P.

“A cybersecurity firm to perform a threat assessment and to build the reasonable security procedures and processes required by the law.”

 

Analytics Are Essential for Effective Database Security

Security Boulevard

“Lawsuits that could have been avoided if there was an attempt at “adequate” or “reasonable” controls around data which could have reduced the time to detection and minimized the impact of data loss.”

 

Will The FPPA Be Florida’s First Comprehensive Privacy Law?

Shook, Hardy & Bacon L.L.P.

“A controller must implement reasonable security procedures and practices, appropriate to the nature of the personal information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

 

Congress to update government cyber rules, one year after SolarWinds

The Washington Post

“But the update is also raising questions about whether Congress has the wherewithal to impose reasonable cyber rules when the pace of new threats so far exceeds the pace of legislation.”

 

Reasonable Security is Now Defined

The Sedona Conference – an influential think tank that advices attorneys, regulators, and judges on challenging technical matters – just released its Commentary on a Reasonable Security Test. The Commentary is the first document of its kind that provides the legal community with a clear definition of a “reasonable” security control.

HALOCK’s Chris Cronin was a co-author of Commentary on a Reasonable Security Test. To learn how to apply the test, contact us.

Reasonable Security Resources

In Archive360’s Podcast Episode 29: What is “Reasonable Data Security”?, Bill Tolson and Chris Cronin, Partner, Governance and Engineering Practice at HALOCK Security Labs try and define “reasonable data security” – a term that continually appears in every states’ privacy law or proposed legislation. 

PODCAST: Cybersecurity Where You Are, co-hosts Tony Sager and Sean Atkinson are joined by Chris Cronin, ISO 27001 Auditor and Partner at HALOCK, a leading information security consultancy. Their discussion focuses on “reasonableness” as it relates to cybersecurity risk management.

RIMS: RiskWorld Recording: Reasonable Security & The Questions a Judge Will Ask You After a Data Breach In post-data breach litigation, you must demonstrate due care and reasonable control. Learn what basic questions the court will ask and how the duty of care risk assessment (DoCRA)—based on judicial balancing tests and regulatory definitions of reasonable risk—helps you answer them. 

RSA CONFERENCE 2022: A Proven Methodology to Secure the Budget You Need in a Transforming World  |  Recording of Presentation