The privacy and cybersecurity legal landscape is constantly shifting, but one important principle remains unshaken: the requirement for companies to implement and maintain "reasonable" security programs. At both the federal and state levels (including the soon-to-be-enforced California Consumer Privacy Act (CCPA)), companies have long been held to a standard of reasonableness in their protection of personal information and other sensitive data. Although "reasonableness" may seem vague, guidance may be gleaned from regulatory enforcement actions and other statements and from standards-setting bodies. Under any standard, the foundation of a reasonable security program is a comprehensive risk assessment. We explain below the importance of the security risk assessment and how companies can undertake assessments in a defensible, strategic fashion.
Reasonableness is nothing new with respect to cybersecurity. Using Section 5 of the Federal Trade Commission (FTC) Act, the FTC has brought enforcement actions against companies for engaging in practices that the FTC believes present an unreasonable risk to the security of the personal information of employees, customers, and consumers. Many state statutes also require generally that companies implement and maintain reasonable security procedures and practices appropriate to the nature of the information. With the enactment of the CCPA, California is the most recent state to enshrine a standard of reasonableness. Although most efforts to include private rights of action in the CCPA failed, consumers do have a private right of action against companies that experience a breach of personal information "as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices[.]"1
We often look to the regulatory guidance and enforcement actions and statements from standards-setting bodies to help define what constitutes reasonable security practices. Some examples of FTC-claimed unreasonableness (in complaints, consent orders, and settlements) include allegations that companies failed to implement appropriate written policies and procedures; failed to implement appropriate vulnerability management and detection programs; and failed to oversee third parties through diligence, contracting, and oversight. Several standards-setting bodies, such as the National Institute of Standards and Technology with its Cybersecurity Framework and the International Organization for Standardization (ISO) with its ISO/IEC 27001 risk management framework, provide guidance and risk management processes on which regulators have relied and which may lend insight into the creation of reasonable and appropriate programs.
The Attorney General of California has also weighed in on how to assess the reasonableness of a company's security measures. In 2016, Attorney General Kamala Harris, speaking to the reasonableness standard under California Civil Code § 1798.81, referred to the twenty Center for Internet Security's Critical Security Controls ("CIS Controls"), stating that "[t]he failure to implement all the [CIS] Controls that apply to an organization's environment constitutes a lack of reasonable security."2 Although this guidance predates enactment of the CCPA, California may continue to look to the CIS Controls when determining the reasonableness of a company's security program in connection with the private right of action.
When faced with the uncertainty posed by attaining a reasonable data security program, companies may want to consider legal requirements, regulatory enforcement actions and guidance, and controls delineated by common and well-known standards-setting bodies. Each of these components can be incorporated into a thorough data security risk assessment. An assessment is tailored to the unique environment in which the company sits, identifies reasonably foreseeable risks to information and systems, and evaluates the propriety of different sets of controls to account for those risks, depending on the magnitude of the risk and operational and resource considerations.
Companies should be thoughtful and strategic when undertaking a security risk assessment. It is unwise, for example, for a company to simply set down on paper all the areas in which it thinks its security is deficient without further explanation of how the company plans to prioritize those risks, whether the risks are significant in the company's environment, and how the company plans to address those risks. Instead, companies should frame the risk assessment as a driver to reduce both legal and security risk. Setting out unrealistic goals and impossible standards can backfire. The risk assessment should be thoughtful regarding the controls it recommends prior to setting them down, to ensure that the controls meet organizational goals and are in line with organizational resources and practices. And the company should implement (manage) the risks it prioritizes with the controls it has identified as reasonably addressing the threats. The company may wish to waive any attorney-client privilege claimed over the risk assessment to demonstrate to a regulator or in the context of civil litigation (under the CCPA, for example) the reasonableness of its security program. If the assessment sets out standards that the company cannot reasonably meet, this can act as a road map for regulators or plaintiffs' attorneys who are seeking to demonstrate unreasonableness and might lead to costly fines and litigation exposure.
Companies should be conducting risk assessments, and those risk assessments should be thorough, but also thoughtful.