Data security and regulations require ‘reasonable security’ for information management. The answer to what ‘reasonable security’ meant or how it should be applied was debated. The concept of “Reasonable security” means that safeguards must not pose a higher risk to the organization than the lack of safeguards poses to others. The Sedona Conference recently released Commentary on a Reasonable Security Test “to address what “legal test” a court or other adjudicative body should apply in a situation where a party has, or is alleged to have, a legal obligation to provide “reasonable security” for personal information, and the issue is whether the party in question has met that legal obligation.“
As the cybersecurity landscape evolves with more advanced threats, it’s important to understand how reasonable security applies to our changing environment and specific organizations. Below are recent developments on this important topic, how companies are impacted, and why it is essential to define reasonable risk and security.
The Center for Internet Security (CIS) recently released the CIS Risk Assessment Method (RAM) v2.0, an information security risk assessment method to help enterprises justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls).
source: The Center for Internet Security, Inc. (CIS®)
source: California Legislative Information
“This new law (Public Act 21-119) enacted by the Connecticut Legislature on July 6, 2021, was created with the goal of incentivizing businesses to adopt cybersecurity standards by offering protections to those that implement the reasonable cybersecurity controls identified in the law.”
source: Fox Rothschild
“Service Provider Oversight: These provisions require the financial institution to take reasonable steps to select and retain service providers that are capable of maintaining reasonable safeguards. This provision also requires the inclusion of contractual provisions that require service providers to implement and maintain appropriate safeguards.”
source: Alston & Bird
“… Blackbaud had a duty to protect Plaintiffs from the criminal conduct of third parties based on Blackbaud’s own negligent conduct in creating the risk by failing to use reasonable security measures.”
source: Norton Rose Fulbright
Proposed Interagency Guidance on Third-Party Relationships: Risk Management “We believe that expanded guidance is needed on reasonable risk acceptance philosophies, with examples of areas where occasional trigger and appetite exceedances are understood and generally accepted by both regulators and customers.”
source: Insurance Coalition
“The lawsuit alleges that UC San Diego Health failed to implement reasonable security practices and adequately train employees on how to avoid phishing attacks,”
source: The San Diego Union-Tribune