Reasonable Cybersecurity
The requirement of "reasonable" cybersecurity has entered into the public discourse following several high-profile data breaches and a growing number of state data privacy laws. Unfortunately, there is not a national, statutory, cross-sector minimum standard of what constitutes reasonable cybersecurity. Public and private sector entities and the courts are left with an incomplete picture from which to define this important concept.
For the latest updates on reasonable cybersecurity, sign up for our newsletter.
Sign up nowReasonable cybersecurity refers to measures that are intended to protect against the loss, misuse, or unauthorized access to, or modification of, information or data based on the appropriate standard of care of how a reasonably prudent person in the same or similar circumstances would act. Considerations include but are not limited to the:
- Size and complexity of the organization
- Nature and scope of the activities of the organization
- Sensitivity of the information to be protected
- Cost and availability of tools to improve information security and reduce vulnerabilities
- Resources available to the organization
Why Is Reasonable Security Important?
The U.S. federal and state governments have various statutes, regulations, caselaw, and enforcement actions that impact cybersecurity. These include incident notification and data privacy laws, as well as “safe harbor” provisions to encourage the voluntary adoption of "reasonable" cybersecurity. However, none include a definition that adequately describes what organizations need to do to achieve reasonable cybersecurity.
The Benefits for Businesses
In the absence of a clear understanding of reasonable cybersecurity, organizations can be uncertain about specifically what they need to do to comply with a state data privacy law or any requirement mandating reasonable security. This can be especially difficult if organizations operate across state lines. To satisfy the language of each applicable state data privacy law, organizations could find themselves confused about how to proceed, or implementing redundant security measures, wasting time and money while possibly not achieving the desired protections of their networks and their consumers’ privacy information.
A definition for reasonable cybersecurity also helps to better clarify organizations' liability in the event of a data breach. If an organization experiences a breach and can't provide evidence that they've implemented the security measures that fall under the definition of reasonable cybersecurity, a court may find them liable under the law of negligence, thus exposing them to lawsuits and other damages from their customers.
What Does Reasonable Cybersecurity Mean for Consumers?
With a clear definition of what they need to do to comply with state data privacy laws, organizations can more easily take foundational steps to protect their consumers' personally identifiable information (PII). If consumers know what constitutes reasonable security, they are more likely to inquire about the level of security that an organization deploys to protect their PII.
How Defining Reasonable Security Helps the Legal System
Today, negligence claims under the common law of various states have become a frequent basis for data breach-related litigation. These types of common law negligence claims often require proving that the person or organization that held the data that was breached both owed a duty of care to the person claiming negligence and failed to exercise a standard of care that a reasonable person would provide. Without a model of what this standard of care entails, judges can only rely on their own subjective understanding of cybersecurity, however limited, to rule on each claim. They can't ground their rulings in an established definition of reasonable cybersecurity from a trusted source.
Reasonable cybersecurity refers to measures that are intended to protect against the loss, misuse, or unauthorized access to, or modification of, information or data based on the appropriate standard of care of how a reasonably prudent person in the same or similar circumstances would act. Considerations include but are not limited to the:
- Size and complexity of the organization
- Nature and scope of the activities of the organization
- Sensitivity of the information to be protected
- Cost and availability of tools to improve information security and reduce vulnerabilities
- Resources available to the organization
Why Is Reasonable Security Important?
The U.S. federal and state governments have various statutes, regulations, caselaw, and enforcement actions that impact cybersecurity. These include incident notification and data privacy laws, as well as “safe harbor” provisions to encourage the voluntary adoption of "reasonable" cybersecurity. However, none include a definition that adequately describes what organizations need to do to achieve reasonable cybersecurity.
The Benefits for Businesses
In the absence of a clear understanding of reasonable cybersecurity, organizations can be uncertain about specifically what they need to do to comply with a state data privacy law or any requirement mandating reasonable security. This can be especially difficult if organizations operate across state lines. To satisfy the language of each applicable state data privacy law, organizations could find themselves confused about how to proceed, or implementing redundant security measures, wasting time and money while possibly not achieving the desired protections of their networks and their consumers’ privacy information.
A definition for reasonable cybersecurity also helps to better clarify organizations' liability in the event of a data breach. If an organization experiences a breach and can't provide evidence that they've implemented the security measures that fall under the definition of reasonable cybersecurity, a court may find them liable under the law of negligence, thus exposing them to lawsuits and other damages from their customers.
What Does Reasonable Cybersecurity Mean for Consumers?
With a clear definition of what they need to do to comply with state data privacy laws, organizations can more easily take foundational steps to protect their consumers' personally identifiable information (PII). If consumers know what constitutes reasonable security, they are more likely to inquire about the level of security that an organization deploys to protect their PII.
How Defining Reasonable Security Helps the Legal System
Today, negligence claims under the common law of various states have become a frequent basis for data breach-related litigation. These types of common law negligence claims often require proving that the person or organization that held the data that was breached both owed a duty of care to the person claiming negligence and failed to exercise a standard of care that a reasonable person would provide. Without a model of what this standard of care entails, judges can only rely on their own subjective understanding of cybersecurity, however limited, to rule on each claim. They can't ground their rulings in an established definition of reasonable cybersecurity from a trusted source.
A Guide to Defining Reasonable Cybersecurity
A Guide to Defining Reasonable Cybersecurity reflects the expertise of recognized technical cybersecurity and legal experts that partnered with the Center for Internet Security® (CIS® ) to define reasonable cybersecurity.
Download the GuideWhy Did CIS Produce This Guide?
This guide provides practical and specific guidance to organizations seeking to develop a cybersecurity program that satisfies the general standard of “reasonable cybersecurity.” This, in turn, could be a valuable resource to assist cybersecurity professionals, counselors, auditors, regulators, businesses, and consumers as well as lawyers and courts, in assessing whether an organization’s program meets this same standard when the compromise of protected information gives rise to litigation or regulatory action. Building on laws and regulations currently in place, this guide identifies what is minimally adequate for information security protections, commensurate with the risk and magnitude of harm that could result from a data breach.
Reasonable Cybersecurity and the CIS Critical Security Controls
The CIS Critical Security Controls® (CIS Controls®) provide an effective standard of reasonableness that is measurable and clearly defines what organizations must do to achieve minimally adequate cybersecurity protections.
The CIS Controls are prescriptive, prioritized, and simplified security best practices that help an organization defend against cyber attacks. Developed in response to real world threat data, the CIS Controls prescribe what organizations should do to defend themselves against the most common and important attacks.
The CIS Controls afford organizations a means of implementing reasonable cybersecurity practices, and they grant lawyers, courts, regulators, and auditors the ability to assess whether reasonable cybersecurity measures were taken. This is because they break down into the following six components of a reasonable cybersecurity program:
- Know your environment
- Account and configuration management
- Security tools
- Data recovery
- Security awareness
- Business processes and outsourcing
Six states are leading the way. They have expressly identified the CIS Controls as an industry best practice that constitutes reasonable cybersecurity.
CIS Risk Assessment Method and Reasonable Cybersecurity
CIS Risk Assessment Method (RAM) is an approach to quantitative risk analysis (QAM) you can use to assess your cybersecurity posture against the CIS Controls. CIS RAM lays emphasis on three major principles: Risk is tied to the business objectives, is uniquely measured, and its resolution should align with the organization's resources. It provides a defensible cybersecurity strategy emphasizing tailored, risk-based decisions.
These principles align to duty of care and common definitions of reasonableness. As such, CIS RAM empowers you to evaluate each risk based upon the potential of harm to your organization's internal objectives, mission, and obligations to prevent harm to others.
Using CIS RAM ensures that the CIS Controls have been implemented correctly.
Download the Reasonableness Policy ChecklistGuide
A Guide to Defining Reasonable Cybersecurity
In collaboration with recognized technical cybersecurity and legal experts, CIS published this guide to provide practical and specific guidance to organizations seeking to develop a cybersecurity program that satisfies the general standard of reasonable cybersecurity.
Recordings
Reasonable Cybersecurity: Oxymoron or Opportunity?
Tony Sager, EVP and Chief Evangelist participated in a 2024 RSA Conference fireside chat with other experts to discuss how to bring technical, legal, and public plicy ideas together to improve security at scale.
The Rise of Reasonableness
Through tort principles and new state data privacy laws, we are seeing the rise of “reasonable” security — the duty of care that a reasonable organization owes its customers. However, no one has effectively defined it. In this panel from the 2024 ISAC Annual Meeting, experts — technical, legal, and public policy — discuss key issues and challenges to this problem, examples of progress, and opportunities to improve cybersecurity at scale.
How to Develop a “Reasonable” Cyber Defense Program
In this webinar, CIS experts provide an overview of what "reasonable" cybersecurity is, review current policies within the U.S., show you how to achieve reasonable cybersecurity, and offer a live demo of tools that produce the documentation you need to demonstrate your cyber defense program meets the standard of reasonableness.
Podcasts
- Episode 28: The Convergence of Cybersecurity and Public Policy
- Episode 74: The Nexus of Cybersecurity & Privacy Legislation
- Episode 84: Why We Need to Define Reasonable Cybersecurity
Blogs
- Defining "Reasonable" Security with a Risk Assessment Method
- Reasonable Cybersecurity: On the Need for a Definition