Reasonable Cybersecurity: On the Need for a Definition

In a digital era where cyber threats have become increasingly potent and pervasive, the concept of reasonable cybersecurity is assuming greater significance. "Reasonable cybersecurity" is a phrase that has broad implications across various sectors, especially for businesses that handle sensitive data. Yet the definition lacks clarity and fails to specify what an organization must do to meet the standard of reasonable cybersecurity.

In collaboration with recognized technical cybersecurity and legal experts, the Center for Internet Security^® (CIS^®) has addressed this complex subject in “A Guide to Defining Reasonable Cybersecurity.”

Defining Reasonable Cybersecurity

Reasonable cybersecurity refers to measures that are intended to protect against the loss, misuse, unauthorized access to, or modification of information or data based on the appropriate standard of care of how a reasonably prudent person in the same or similar circumstances would act. By nature, the concept of "reasonable" cybersecurity is both subjective and dynamic.

 

“The standard of reasonableness is important to organizations when it comes to risk assessments and what it is they need to do to implement across their enterprise,” said Phyllis Lee, VP of Security Best Practices Content Development at CIS. “Not only do they need to protect themselves, but of course, there's an obligation to protect others around them, including people affected by their mission.”

 

 

Reasonable cybersecurity varies based on factors including: industry practices, the nature and sensitivity of the information involved, the size and resources of the business handling it, any guidance or industry standards available at that time, foreseeable threats, available technology, and costs. The ongoing evolution of technology and cyber threats requires constant vigilance about what might be considered reasonable at a given point in time.

Reasonable Cybersecurity in the Limelight

The federal and state governments in the United States have various statutes, regulations, and caselaw on elements of cybersecurity, like data breach notification and data privacy. These requirements also increasingly require organizations to implement cybersecurity controls that are reasonable. However, these efforts fail to specify what an organization must do to meet the standard of reasonable cybersecurity. Specifically, they do not require a specific framework, nor do they direct organizations how to interpret or implement the frameworks in a manner by which they can demonstrate due care — a term for fulfilling the standard of care of acting with the necessary caution to avoid foreseeable risks.

 

“One of the questions that is often asked is, 'How to best implement reasonable cybersecurity?' The answer is that you must choose an identified framework, and you need to implement it properly. This guide shows you how to implement it in a way that demonstrates how you have conformed to the actual framework," said Curt Dukes, CIS Executive VP & GM, Security Best Practices Automation Group.

By considering emerging state laws as well as existing industry cybersecurity standards, our guide proposes that a definition for reasonable cybersecurity can be derived, articulated, and implemented.

Guidelines for Businesses and Auditors

Businesses and auditors assessing an organization's security measures post-incident need to understand what constitutes reasonable cybersecurity. They should look for evidence of cyber defenses that include robust incident response procedures, employee training programs, intrusion detection systems, firewalls, encryption technology, and ongoing monitoring. Our guide recommends that organizations adhere to recognized standards, such as the CIS Critical Security Controls^® (CIS Controls^®), while reviewing such measures.

An equally important goal of this guide is to eliminate breaches and, therefore, reduce litigation resulting from data breaches. Businesses should adopt a proactive approach to cybersecurity by conducting regular information risk assessments and disaster recovery planning exercises, which would strengthen their defenses against cyber attacks.

Guidelines for Lawyers and Courts

As the intermediaries between businesses and government agencies dealing with cybersecurity matters arising from data breaches, lawyers play a crucial role. They need to have a sound understanding of legal issues associated with cybersecurity like statutory obligations for data handling or breach notification rules. At the same time, they also must grasp technical concepts related to IT infrastructure to represent their clients effectively.

The court system, which is responsible for interpreting these laws, will also benefit from a clearer understanding of what constitutes reasonable cybersecurity.

Guidance for Regulators

Government-appointed regulators of the cybersecurity industry have a vital role in providing appropriate guidance regarding reasonable cybersecurity measures. To maintain public confidence and trust, they must be able to articulate what their regulations mean when they call for reasonable safeguards. They should, like the states are beginning to do, offer specific guidance that helps organizations to identify more clearly what should be done. For example, the FCC, in a current ruling, specifically referenced the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Performance Goals (CPGs) and the CIS Controls as standards.

 

"If you're going to convince someone else — a regulator, a lawmaker, a judge, a lawyer — that you behave reasonably, the best case is to say, 'I have a way to measure myself against a plan of attack that is understood to be reasonable.' So that says, 'I have some way to say I've looked at a framework of activity. I've chosen the activities that make sense to me, and here's the plan I put in place to execute against that,’” said Tony Sager, CIS Senior Vice President and Chief Evangelist.

The authors of this guide considered federal and state laws, existing regulations, various industry best practices and cyber frameworks, and other resources to derive and propose a methodology for determining what should be considered reasonable cybersecurity to thwart data breaches. While there is no comprehensive U.S. law defining reasonable cybersecurity in all settings, this guide offers principles that may be used in interpreting and applying the laws that do exist.

A Step Forward for Reasonable Cybersecurity

U.S. cybersecurity requirements increasingly reference "reasonable cybersecurity," but none specify exactly what reasonable cybersecurity means. "A Guide to Defining Reasonable Cybersecurity" points to a growing trend in the states of specifically identifying industry best practices that will enable organizations to better protect their business operations and their customers’ personally identifiable information (PII). It goes on to provide, as an example, how one framework, the CIS Controls, can be implemented prescriptively and in a manner that affords lawyers, courts, regulators, businesses, and auditors the ability to assess whether reasonable cybersecurity measures have been taken.

Ready to align your cybersecurity program to the standard of reasonable cybersecurity?