Reasonable Cybersecurity Guide

In the United States, there is no national, statutory, cross-sector minimum standard for information security. No national law defines what would be considered reasonable security in matters involving data breaches. The federal and state governments have various statutes, regulations, policies, and caselaw covering elements of cybersecurity, like data breach notification and data privacy.

But all of these efforts fail to specify what an organization must do to meet the standard of reasonable cybersecurity.

The purpose of this guide is to do just that.

In collaboration with recognized technical cybersecurity and legal experts, the independent nonprofit Center for Internet Security^® (CIS^®) is publishing this guide to provide practical and specific guidance to organizations seeking to develop a cybersecurity program that satisfies the general standard of reasonable cybersecurity. This, in turn, could be a valuable resource to assist cybersecurity professionals, counselors, auditors, regulators, businesses, and consumers as well as lawyers and courts, in assessing whether an organization’s program meets this same standard when the compromise of protected information gives rise to litigation or regulatory action. An equally important goal for publishing this guide is to reduce litigation resulting from data breaches. Building on laws and regulations currently in place, this guide identifies what is minimally adequate, absent express law governing the circumstances, for information security protections commensurate with the risk and magnitude of harm that could result from a data breach.

The authors of this guide considered federal and state laws, existing regulations, various industry best practices and cyber frameworks, and other resources to derive and propose a methodology for determining what should be considered reasonable cybersecurity to thwart data breaches. While there is no comprehensive U.S. law defining reasonable cybersecurity in all settings, this guide offers principles that may be used in interpreting and applying the laws that do exist.

Finally, this guide provides, as an example, how one framework, the CIS Critical Security Controls^® (CIS Controls^®), can be implemented prescriptively and in a manner that affords all those who use and rely on the technology ecosystem the ability to assess whether reasonable cybersecurity measures were taken.