Developments and news on ‘reasonable security’ Understand how these updates may impact your risk and security strategies.
When the Feds Find Out! Lack of Data Security Leads to Novel and Hefty Settlements | National Law Review
“failed to implement “reasonable security measures” to protect consumers’ information and to notify individuals of “multiple” breaches.”
FTC Issues Complaint and Proposed Settlement with Online Retailer for Deceptive and Unfair Security and Privacy Practices | Wilson Sonsini
“misrepresenting its data security practices, misrepresenting its response to data security incidents, and failing to employ reasonable security measures.”
Arkansas AG sues hospital for leaving patient files unsecured after closing shop | SCMagazine
“unlawful conduct harmful to Arkansas consumers by failing to take reasonable measures to protect their patients’ and employees’ personal information and by failing to properly dispose of said information.”
Ex CafePress owner fined $500,000 for ‘shoddy’ security, covering up data breach | ZDNet.com
“there was a lack of “reasonable security measures” to prevent data breaches.
Nuna Baby Essentials Data Breach – Can California Residents Claim Damages? | Legal Scoops
“a business didn’t fulfill its obligation to implement and maintain reasonable security, an affected California resident can sue to protect their rights under the CCPA and CCRA.”
FTC Takes Action Against CafePress for Data Breach Cover Up | FTC.gov
“The FTC alleges that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions.”
Four Takeaways from the SEC’s Proposed Cybersecurity Rules | Harvard Law School Forum on Corporate Governance
“The proposed rules would require advisers and funds to adopt and implement policies and procedures that are “reasonably designed” to address cybersecurity risks.”
Practical Strategies to Combat Common Cybersecurity Threats and Mitigate Risk | Foley & Lardner
“Many of these lawsuits result in large settlements for plaintiffs, as reasonable cybersecurity practices are now the standard of care expected of all businesses.”
CyberSecurity: Privacy Breach Claim against Employer Needs story of Unreasonable Behavior | Patentlyo
“the employee … has a reasonable expectation that the employer will take reasonable care not to place their personal data at unnecessary risk of exposure.”
CCPA Litigation Up 44.1% | National Law Review
“right of action to pursue statutory damages following data security breaches that impact certain sensitive categories of personal information and are caused by a business’s failure to institute reasonable and appropriate security.”
Utah Set to Become Fourth State to Pass Comprehensive Consumer Privacy Law | Foley & Lardner
“Covered businesses have a number of obligations under the UCPA, including establishing, implementing, and maintaining reasonable security practices and providing privacy notices to consumers.”
7 Pressing Cybersecurity Questions Boards Need to Ask | Harvard Business Review
“The BOD must make sure the organization’s most important assets are secure at the highest reasonable level.”
Defining “Reasonable” Cybersecurity: Lessons From the States | Council of Foreign Relations
“Exactly what constitutes “reasonable” cybersecurity has long vexed both businesses and policymakers.”
Massachusetts Privacy Bill Provides WISP Reminder, Safe Harbor for Punitive Damages | National Law Review
“The MIPSA would provide individuals a private right of action if their personal information is subject to a breach of security under Massachusetts law caused by a failure to implement reasonable cybersecurity controls.”
Inmediata Data Breach $1.1M Class Action Settlement | Top Class Actions
“According to the plaintiffs, Inmediata failed to protect their information through reasonable security measures.”
Senator Pushes Crackdown On High-Volume Online Sellers | Post Journal
“The online marketplace would have to verify the information provided and implement reasonable security to protect the data collected.”
Cyber Security: 3 Legal Implications and Risk Management | Legal Reader
“Ensuring standards of care is one of the ways to avoid lawsuits. The company should have prudent or reasonable practices around cybersecurity.”
California Privacy Update, Part II | Wilmer Hale
“If passed, businesses collecting biometric data in California will need to: … store, transmit, and protect from disclosure biometric information using reasonable security standards.”
Trading Assistance: How to avoid wire transfer and e-mail scams | Produce Blue Book
“whether the intended payee took reasonable steps (e.g., utilized standard security measures) to avoid the compromised email in the first place”
OpenSea, LooksRare, BAYC Yuga Labs Named in $6 Million Negligence Lawsuit | The Fashion Law
‘failed to implement “common sense and reasonable security measures” to protect users’
Preparing for Cyberattacks and Limiting Liability | National Law Review
“little or no protection to the company in a lawsuit unless the company can show that it took all reasonable actions to try to prevent the cyberattack from disrupting its business.”
Potential Board Liability for Cybersecurity Failures Under Caremark Law | CPO Magazine
“boards can take immediate steps to proactively oversee the company’s cybersecurity risks, and ensure that they are meeting their fiduciary duty of oversight.”
United States: SEC proposes broad new cybersecurity risk management rules for investment advisers and funds Commission seeks public comment on wide range of issues in proposal | Global Compliance News
“The SEC proposes rules 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act, which require advisers and funds to implement cybersecurity policies and procedures reasonably based on the firm’s business operations and cybersecurity risks.”
The Urgency To Cyber-Secure Space Assets | Forbes
“establishing reasonable security measures and sharing threat information, as well as developing a common cybersecurity architecture.”
Countdown to State Law Privacy Compliance: 10 Months to Go | New Rules for Sensitive Personal Data | JDSupra: Womble Bond Dickinson
“Don’t wait to implement your compliance updates as it could require changes to your operations.”
“California has a private right of action if a company fails to maintain reasonable security measures to protect this data and it leads to a compromise of the data, which also opens the door to broader CPRA compliance scrutiny and liability.”
Reasonable Security is Now Defined
The Sedona Conference – an influential think tank that advices attorneys, regulators, and judges on challenging technical matters – just released its Commentary on a Reasonable Security Test. The Commentary is the first document of its kind that provides the legal community with a clear definition of a “reasonable” security control.
HALOCK’s Chris Cronin was a co-author of Commentary on a Reasonable Security Test. To learn how to apply the test, contact us.
Reasonable Security Resources
In Archive360’s Podcast Episode 29: What is “Reasonable Data Security”?, Bill Tolson and Chris Cronin, Partner, Governance and Engineering Practice at HALOCK Security Labs try and define “reasonable data security” – a term that continually appears in every states’ privacy law or proposed legislation.
PODCAST: Cybersecurity Where You Are, co-hosts Tony Sager and Sean Atkinson are joined by Chris Cronin, ISO 27001 Auditor and Partner at HALOCK, a leading information security consultancy. Their discussion focuses on “reasonableness” as it relates to cybersecurity risk management.
RIMS: RiskWorld Recording: Reasonable Security & The Questions a Judge Will Ask You After a Data Breach In post-data breach litigation, you must demonstrate due care and reasonable control. Learn what basic questions the court will ask and how the duty of care risk assessment (DoCRA)—based on judicial balancing tests and regulatory definitions of reasonable risk—helps you answer them.
RSA CONFERENCE 2022: A Proven Methodology to Secure the Budget You Need in a Transforming World | Recording of Presentation
