The Evolution of Security & Risk
What is considered ‘reasonable’ when it comes to cybersecurity? That has become a burning question for not just the IT and cybersecurity communities but also for company board rooms, regulators, judges, and litigators. Even the public is exhibiting a growing interest in defining reasonable security expectations due to the perpetual breaches involving their personal data. Over the past two decades, we have witnessed the extraordinary transition to a digital world and at a breathtaking pace. Not only have we evolved into an internet-based economy, but the internet is also now embedded into our social fabric. The problem is that many of the protocols that were established at the dawn of the internet were created at a time when threat actors, data breaches, and ransomware were nonexistent. Email was created for a trusting world back in 1971. Today, every internet connected organization must contend with faceless attackers residing on the other side of the world that can initiate a devastating attack with a mere phishing email.
Years ago, companies primarily only worried about physical security. Now, we have transitioned to what has been branded as a “zero-trust world.” Before, a reasonable set of cybersecurity controls could have only included a firewall performing stateful inspection and some type of antivirus software. And not long ago, the idea of allotting local administrator rights to standard users was acceptable. Even the concept of the password has evolved. Acceptable cybersecurity safeguards from even a decade ago would no longer suffice today. As the world changes, so does the expectation of what is reasonable.
There is always going to be an element of risk in life. You can drive a motor vehicle that adheres to all federal motor vehicle safety standards. You can obey every traffic law and take every safety precaution and still have an accident. In terms of cybersecurity, you can be in perfect compliance with every industry standard and government regulation and still have a data breach. You can implement every one of the NIST 800-171 controls and still be a victim of an attack. Security controls are not perfect. An occasional phishing attack will always manage to make its way through even the most stringent email security solutions. Zero-day malware variants that can bypass endpoint security systems will continue to be developed. While today’s common controls may not be perfect, you are expected to have them because they collectively reduce your risk exposure. Every organization has a duty of care that requires them to take reasonable steps to protect their employees and customers from harm. Businesses are expected to take sufficient measures to secure the sensitive personal data of other people whose information is in their care. Demonstrating duty of care establishes the absence of negligence, and it is negligence that results in lawsuits.
What is Your Duty of Care?
While ‘reasonable security’ is a regulatory requirement cited in numerous acts and laws, enterprises have struggled to define it for their working environment. Unfortunately, companies mistakenly equated compliance to be the same as reasonable. As cyberattacks and data breaches increase, so does litigation for these types of incidents. And at the base of these suits is the concept of practicing reasonable security. What was the ‘duty of care’ of organizations when it comes to information security? We are seeing more cases referencing this:
- Quest’s ReproSource, a reproductive health testing laboratory, had a ransomware attack which potentially exposed 350,000 patients’ protected health information (PHI). It now is facing a lawsuit for failing to “take reasonable measures to protect patient data”.
- UC San Diego Health is being sued due to a data breach affecting 500,000 patient records. “The lawsuit alleges that UC San Diego Health failed to implement reasonable security practices and adequately train employees on how to avoid phishing attacks.”
- Colonial Pipeline, the largest fuel pipeline in the U.S., was attacked resulting in stolen data and ransomware paid. Due to the halting of operations, gas stations experienced shortages in fuel and significantly higher prices for gas, affecting their businesses. Class actions were filed against Colonial Pipeline on the grounds it “failed to implement and maintain reasonable security measures, procedures, and practices appropriate” to its business.
- Blackbaud, a cloud software company and manages sensitive data for their customers, experienced a ransomware attack and data exfiltration. Their clients included social good entities such as non-profit organizations, healthcare, and educational institutions. Blackbaud is now facing negligence claims by the members or customers of their client organizations. They claim “Blackbaud had a duty to protect Plaintiffs from the criminal conduct of third parties based on Blackbaud’s own negligent conduct in creating the risk by failing to use reasonable security measures.”
“Reasonable security” means that safeguards must not pose a higher risk to the organization than the lack of safeguards poses to others.
“Reasonable security” means that safeguards must not pose a higher risk to the organization than the lack of safeguards poses to others.
Reasonable Security Considers All Perspectives Appropriately
The concept of ‘reasonable security’ enables organizations to take a wholistic view of their enterprise’s security strategy through a duty of care risk analysis. Based on your business’ mission, objective, and obligations, you incorporate all perspectives from the C-suite, legal team, IT team, regulators, customers, and public, allowing you to prioritize investments, protect systems, and render executive reporting effectively and efficiently. And that begins with a risk assessment.
The NetDiligence Cyber Claims Study indicates that two-thirds of cyber insurance claims are associated with liability (regulatory fines, litigation, and settlements). Those are the easiest to reduce if you just do a risk assessment. When risk assessments don’t show a plan based on reasonable controls, litigators and regulators go into action and cause your breach costs to triple.
What is unique about duty of care and reasonable security, is the balance between the business goals, regulatory requirements, and the social responsibility of a company. You take into consideration the impact as it applies to your landscape. What is considered reasonable for one firm is not necessarily considered reasonable for another. Managing risk by balancing business mission, objectives, and obligations to third parties establishes that implemented security safeguards are reasonable and appropriate.
The Year of Reasonable Security
2021 was the year of reasonable security. We now have a working definition of ‘reasonableness’ through the Sedona Conference, a widely respected non-profit educational and legal policy development organization and valuable source for the interpretation of U.S. law. Privacy regulations cite ‘reasonable’ in how data should be managed. The latest version of the Center for Internet Security® Risk Assessment Method (CIS RAM), which helps users implement CIS Controls reasonably, has also recently been released. Here is a quick look at key events this year:
Feb 2021 – The Sedona Conference
The Sedona Conference is a nonpartisan research and educational institute that dedicates itself to the advanced study of law. To answer the perpetual question of what constitutes ‘reasonable security’ the group created a test that can help determine if an organization has properly measured its associated risk regarding cybersecurity safeguards. The Sedona Conference Commentary on a Reasonable Security Test provides a cost analysis to compare the net impact to the included victims of a cybersecurity incident vs. the impact of implementing the necessary safeguards. The test can be used in cases of litigation as well as legislative and regulatory oversights.
May 2021 – CIS Controls v8
Cybersecurity is a moving target because new technologies and threats are perpetually introduced while existing ones continue to evolve. That is why frameworks relating to cybersecurity must evolve as well. CIS Critical Security Controls (CIS Controls v8) serves as an updated control list that outlines security best practices relating to mobile, IoT, and cloud environments. Control examples include asset inventory, data protection, network monitoring, and account management to name a few.
July 2021 – California Privacy Rights Act
With CCPA becoming the law of the land on January 1,2020, the state of California began formulating and adapting new relations for what will be the California Privacy Rights Act (CPRA). CPRA will serve as an extension of CCPA and will go into effect on January 1, 2023. The CPRA obligates businesses to implement reasonable security procedures and practices to protect the personal information they collect.
There are elements of the bill that focus on privacy and data security requirements which will become effective in 2022.
October 2021 – Genetic Information Privacy Act (GIPA)
California Governor Gavin Newsom signed into law the Genetic Information Privacy Act (GIPA). The Act requires direct-to-consumer (DTC) genetic testing companies to “Implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure.”
Direct-to-Consumer (DTC) companies will be required to provide a summary of their privacy practices pertaining to elements such as data collection, consent, and data retention to name a few. CPRA defines a DTC company as an entity that does any of the following:
- Sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers.
- Analyzes genetic data obtained from a consumer (unless the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition).
- Collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer.
DTC companies must implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure.
October 2021 – Connecticut’s Safe Harbor
Two new data security laws were enacted on October 1, 2021, by the state of Connecticut. One of the laws modified the state’s existing breach notification requirements by expanding the types of personal information that trigger required notifications such as passport numbers or biometric information. In addition, it condensed the breach notification window from 90 days to 60 days. But the law also included a second provision that is a part of a welcoming trend. Connecticut is one of three states that now provides safe harbor for companies that have formerly created and maintained a written cybersecurity program containing administrative, technical, and physical safeguards to protect personal and restricted information. Companies that meet this standard are hereby protected from punitive damages related to a given breach. Connecticut is now the third state to enact cybersecurity safe harbor protection measures. Ohio and Utah have similar statutes. Connecticut’s update encourages organizations to establish “reasonable security measures”.
October 2021 – FTC Revises the Safeguards Rule
The Federal Trade Commission (FTC) released final revisions to the Gramm-Leach-Bliley Safeguards Rule (Safeguards Rule). One section addresses service provider oversite and states, “These provisions require the financial institution to take reasonable steps to select and retain service providers that are capable of maintaining reasonable safeguards. This provision also requires the inclusion of contractual provisions that require service providers to implement and maintain appropriate safeguards.”
October 2021 – CIS RAM v2.0 Release
CIS RAM v2.0 was released in October through HALOCK’s partnership with CIS. In addition to incorporating the new CIS Controls v8, the 2.0 release modified the way in which it approaches risk itself. Rather than asking the question, “how likely is it that a given risk will occur” the question is now “when a security risk occurs, what is the most likely way it will happen?” To best answer this question, CIS RAM now uses data about real word cybersecurity incidents to learn more about attack methodologies. CIS RAM v2.0 retains the three implementation groups and will publish three separate controls frameworks that align with the three CIS Controls Implementation Groups. Each document provides insight into how each categorized organization can accomplish their risk assessments and attain an appropriate level of security for their involved enterprise.
July 1, 2022 – CPRA Requires the CPPA to Adopt Final Regulations
CPRA, mentioned earlier, is managed by the California Privacy Protection Agency (CPPA). The CPPA had been holding open meetings to allow for public comment on preliminary rulemaking activities. The deadline for comment was November 8, 2021. CPPA is now reviewing those comments and will make modifications to the legislation as appropriate. CPRA has an inherent deadline of July 1, 2022, at which time the final regulations must be adopted.
Jan 2023 – Colorado Privacy Act -CPA
Colorado will implement its own Data Privacy Laws called the “Colorado Privacy Act (CPA).” CPA will apply to any organization that controls or processes the personal data of 100,000 or more Colorado consumers. Those that derive revenue regarding the information of 25,000+ Colorado based consumers will also fall under its jurisdiction. It will require employers to implement formalized privacy programs for HR data as well. In addition, the law requires certain persons and entities to take reasonable steps to protect personal identifying information (PII). Applicable persons or entities include companies conducting business in Colorado or sell good and services targeted to Colorado residents and manages data of more than 100,000 consumers or receive revenue or discounts from the sale or management of personal data of 25,000 consumers or more.
Like Colorado, Virginia has its own regulatory compliance set that will be enforced starting in 2023. The VCDPA applies to qualifying legal entities, otherwise known as controllers, that conduct business in the state of Virginia or produce goods or services that target consumers who reside within the state of Virginia. It defines ‘personal data’ as ‘any information’ that is linked or reasonably linkable to an identified or identifiable person, including geo-location, biometric, and genetic data. It will require companies to conduct data protection assessments related to the processing or storage of personal data as well as the implementation of technical safeguards. Businesses must operate reasonable security practices to protect personal data.
Being Reasonably Secure
There are two definite trends that will continue to magnify in 2022: the increasing number of threats and the increasing amount of state legislation. Both will force companies to adapt reasonable measures to address them. Defining reasonable security begins with an understanding of your security profile – by conducting a risk assessment, which considers your duty of care.
Start with a Duty of Care Risk Assessment checklist. Then, by conducting a Duty of Care Risk Analysis (DoCRA)-based risk assessment, HALOCK can review your risk posture and create a roadmap to achieve a ‘reasonable’ and ‘appropriate’ security strategy that safeguards your data for your changing environment.