An overview the latest news on ‘reasonable security’ and the impact on the cybersecurity industry. Keep current on the evolution of regulatory requirements and how it may affect you.
Liability for software insecurity: Striking the right balance | IAPP
“Incentivizing reasonable security. The proposal would prevent them from disclaiming liability by contract, establish a standard of care and provide “a safe harbor to shield from liability those providers that do take reasonable measurable measures to secure” their software.“
SEC Cybersecurity Rule Leans on Materiality and Reasonableness | Bloomberg Law
“Companies required to make disclosures and disclose their cybersecurity risk management and governance must consider what is material to a reasonable investor. This increases the level of language granularity and simplicity that persons should use as the materiality bar is lower for the reasonable investor than for sophisticated or institutional market investors.“
New York Continues to Crack Down on Poor Data Security Practices | JD Supra – Alston & Bird
“According to OAG the breach impacted the data of thousands of nonprofit institutions, including colleges and universities. James noted in the press release announcing the settlement that “there is no excuse for a cloud company to have poor data security measures.” The investigation concluded that the company failed to implement reasonable security and fix known security gaps, and that the company neglected to provide timely, accurate information to its customers which in turn significantly delayed notification to impacted individuals.“
CPPA Mulls Draft Cybersecurity Audit Regulations Under CPRA | National Law Review – Jackson Lewis
“It is important to note that California currently mandates certain businesses to maintain reasonable security procedures and practices to protect personal information.”
Radius Financial Group data breach $375K class action settlement | Top Class Actions
“According to the data breach class action lawsuit, Radius Financial Group could have prevented a July 2021 data breach with reasonable cybersecurity measures. Because of Radius’ failure, hackers allegedly gained access to sensitive personal information such as Social Security numbers.”
90 Degree Benefits data breach $990k class action settlement | Top Class Actions
“The data breach class action lawsuit claims that 90 Degree Benefits failed to implement reasonable cybersecurity measures that could have prevented two data breaches in February and December 2022. As a result, hackers allegedly gained access to sensitive identifying information and personal health data.”
Cybercrim claims fresh 23andMe batch takes leaked records to 5 million | The Register
“In the case of Santana vs 23andMe, plaintiffs allege that the company failed to implement “adequate and reasonable cybersecurity procedures and protocols necessary to protect victim’s PII”.”
California: The Next Frontier in Digital Asset Regulation | JD Supra – Orrick
“All of these new concepts require digital asset businesses to consider investments in cybersecurity processes, infrastructure and people. A failure to fully capture operational and cybersecurity risk and implement reasonable security controls may ultimately put the license at risk.”
Rutter’s agrees to pay $1 million in settlement stemming from data breach | WFMZ
“The AG’s office said, at the time of the breach, the convenience store chain did not have reasonable security measures in place to protect the personal information of customers, which violates the Pennsylvania Unfair Trade Practices and Consumer Protection Law.”
A Wave Of New Data Privacy Laws: Should You Update Your Privacy Policies And Practices? | Mondaq – Freeman Law
“statutes in several states require companies to implement and maintain reasonable security measures with respect to collection and storage of consumer information. As a consequence of this wave of state data privacy laws, companies now face an additional layer of exposure to data privacy lawsuits. Accordingly, companies should evaluate and update their privacy policies and data collection and retention practices.”