A review of recent developments and news on ‘reasonable security’ and the impact on the cybersecurity industry. Stay updated to see how they could affect your organization.
Attorney General Josh Shapiro Announces $8 Million Agreement with Wawa Following Investigation into 2019 Data Breach | Pennsylvania Office of Attorney General
“The attorneys general allege that Wawa failed to employ reasonable information security measures to prevent such a data breach, therefore violating state consumer protection and personal information protection laws.”
Acting AG Platkin Co-Leads $8 Million Settlement with Wawa Inc. over Data Breach that Compromised Millions of Payment Cards in New Jersey | State of New Jersey Office of Attorney General | NJ Filing
“Acting Attorney General Platkin and Attorney General Shapiro allege that Wawa failed to employ reasonable information security measures to prevent such a data breach, and therefore violated state consumer protection and personal information protection laws.”
Attorney General Moody Secures Millions of Dollars in Multistate Action Following Massive Data Breach | Florida Office of Attorney General
“Attorney General Ashley Moody said, “Hackers will go to great lengths to steal personal information—often targeting businesses to access the data of millions of consumers. It is important that companies take reasonable measures to protect their customers from data breaches.”
“The attorneys general allege that Wawa failed to employ reasonable information security measures to prevent such a data breach, therefore violating state consumer protection and personal information protection laws.”
Attorney General Jason Miyares Announces $8 Million Data Breach Settlement with Wawa | Commonwealth of Virginia Office of the Attorney General
“Attorney General Miyares and the other participating Attorneys General allege that Wawa failed to employ reasonable information security measures to prevent such a data breach, and therefore violated state consumer protection and personal information protection laws.”
“It is imperative that businesses employ every reasonable security measure to protect their customers and prevent sensitive data breaches like this one.” Attorney General Miyares said. “I am pleased we were able to reach a settlement that addresses the conduct at issue and implements safeguards going forward to ensure this type of breach does not happen again.”
A Rule 37 Refresher – As Applied to a Ransomware Attack | National Law Review
“As a business owner, when it comes to cybersecurity, you must take reasonable and defensible efforts to protect your data.”
After Huge Illuminate Data Breach, Ed Tech’s ‘Student Privacy Pledge’ Under Fire
“Under the law, education vendors are required to maintain “reasonable” data security safeguards and must notify schools about data breaches “in the most expedient way possible and without unreasonable delay.”
“send a strong and very important signal that not only must you ensure that you have reasonable security in place, but if you say you do and you don’t, you will be penalized.”
SEC’s Increased and Expanding Focus on Cybersecurity Disclosures | Treasury & Risk
‘The proposed rule states that “[w]hat constitutes materiality for purposes of the proposed cybersecurity incidents disclosure would be consistent with that set out in the numerous cases addressing materiality in the securities laws. … Information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available.”’
Is the U.S. Finally Getting a Comprehensive Cybersecurity and Data Protection Law?: What You Need to | JD Supra | Spilman Thomas & Battle, PLLC
“requires that company CEOs and company privacy protection officers maintain reasonable internal controls and reporting structures for compliance with the ADPPA. In addition, this section sets forth the responsibilities of service providers and third parties, requiring covered entities to conduct reasonable due diligence in selecting service providers and transferring data to third parties.”
What is IoT? Guide to the Internet of Things | eWeek
“California Consumer Privacy Act (CCPA), which requires manufacturers to include “reasonable” security features in IoT devices. It also introduced standards for companies doing business in California, and penalties for violations and data breaches. A major violation could result in fines of US $2,500 to US $7,500 per violation as well as action from the California attorney general’s office.”
BJC Healthcare data breach class action settlement | Top Class Actions
“Affected consumers took legal action against BJC Healthcare, arguing the company could have prevented the data breach through reasonable cybersecurity measures. According to plaintiffs in the data breach class action lawsuit, BJC Healthcare’s negligence directly led to the cyberattack.”
New FTC Data Directives Driving Change at Car Dealerships | PYMTS.COM
“The FTC’s Safeguards Rule has been in effect since 2003 but was amended last year with changes that are to take effect December 6. Amico said the current rule requires companies to have “reasonable security” to protect consumers’ personal information, while the amended rule includes a prescriptive list of things companies must do.”
Amazon Confirms It Shares Ring Doorbell Footage With Police | FindBiometrics.com
“While that sounds like a reasonable security policy, it likely underplays the sheer invasiveness of Amazon’s network.”
FTC Issues Business Alert on Illegal Use and Sharing of Location, Health and other Sensitive Data | National Law Review
“The FTC “cracks down” on businesses that misuse consumer data.”
“CafePress, a custom merchandise platform, for its alleged failure to implement reasonable security measures (including the failure to implement reasonable data retention practices) and failure to respect consumers’ deletion requests, which resulted in an order requiring the company to pay a fine and minimize its data collection practices;”
Maryland Amends Data Security and Breach Notice Obligations | National Law Review
“requirement to implement and maintain “reasonable” security measures will also apply to businesses that maintain personal information of Maryland residents”
So, Your Business Has Suffered A Data Breach. Now What? | Lexology | McGrath North Mullin & Kratz
“The FTC requires that businesses take reasonable steps to protect consumer data. Your business should implement reasonable security measures and document them.”
Privacy in the Metaverse | Security Boulevard
“implement reasonable security practices for the retention of biometric information to safeguard customer information and mitigate risks of data breaches.”
Endgame On: The narrowing path ahead for privacy legislation | Brookings.edu
“The effect would be to create a duty of care through the privacy-by-design provision’s obligation to put in place “reasonable” practices.”
Reasonable Security Resources
In Archive360’s Podcast Episode 29: What is “Reasonable Data Security”?, Bill Tolson and Chris Cronin, Partner, Governance and Engineering Practice at HALOCK Security Labs try and define “reasonable data security” – a term that continually appears in every states’ privacy law or proposed legislation.
PODCAST: Cybersecurity Where You Are, co-hosts Tony Sager and Sean Atkinson are joined by Chris Cronin, ISO 27001 Auditor and Partner at HALOCK, a leading information security consultancy. Their discussion focuses on “reasonableness” as it relates to cybersecurity risk management.
RIMS: RiskWorld Recording: Reasonable Security & The Questions a Judge Will Ask You After a Data Breach In post-data breach litigation, you must demonstrate due care and reasonable control. Learn what basic questions the court will ask and how the duty of care risk assessment (DoCRA)—based on judicial balancing tests and regulatory definitions of reasonable risk—helps you answer them.
RSA CONFERENCE 2022: A Proven Methodology to Secure the Budget You Need in a Transforming World | Recording of Presentation