The 2019 NetDiligence Claims Study shows that litigation defense, litigation settlements, regulatory defense, and regulatory fines make up a significant portion of claims allocation. Since both statutes, regulations, and judgements may be tied to the establishment of “reasonable” security, it behooves organizations to examine whether they have met this standard. Unfortunately, as the NetDiligence Virtual Summer Summit panel “What is Reasonable Cybersecurity?” proves, defining “reasonable” is not an easy task.
Moderator Andy Maher (AXIS) led panelists Chris Cronin (HALOCK), Doug Meal (Orrick LLP), and Tim Murphy (Office of the Attorney General for Pennsylvania) in a spirited discussion which gave hints of how this issue could become combative in a high stakes legal setting. But as Cronin pointed out, the very fact that definitions are evolving in contentious settings belies the fact that litigators, regulators, and insurers do have common understanding of how risk is assessed. And so, the tasks of defining terms, weighing their utility, and applying them though a risk-based analysis process should fall on experts such as the assembled panel.
Why is the term “reasonable” so sticky? On the one hand, since technology moves quickly, hard definitions will rapidly become obsolete. Murphy sees keeping definitions loose as the way standards to keep up. Meal, on the other hand, states that a loose definition becomes meaningless, since requirements that are undefined cannot stand in a legal context. And while the toolset for measuring the foreseeability of harm exists, without regulation or legislation, the definition remains dependent on judicial actions which still lie in the future.
In absence of a consistent legislative definition, regulators, litigators, insurance carriers, companies, and information security practitioners have expressed two sorts of models – out-come based (built on industry standards/statutory requirements/regulations) and process based (based on robust risk analysis/assessment/mitigation/documentation).
The panel dispensed quickly with outcome-based actions. Theoretically, they provide a clean line, but in reality, industry standards are themselves difficult to prove. Furthermore, standards may be written to describe an absolute minimum level which a court may find insufficient. Finally, there may be some daylight between “standard” and “custom,” so organizations simply doing what is common in their industry may be left with few standards at all.
Process-based actions are more nuanced and provide the additional benefit of looking beyond avoiding legal penalty. As Cronin describes, process provides due diligence for organizations. Some basic elements will remain constant across industries and companies, but additionally, the process will lead to company-specific controls and priorities. Murphy added that a “check the box” approach cannot compare to relevant risk assessment, and that he expects settlements increasingly to be based on whether thoughtful, comprehensive, and well-documented plans exist.
Emerging as a new possibility are actions based on a cost-benefit approach. The panel was eager to debate how this approach might work in the cyber space, using precedence set elsewhere. Federal law has used the cost-benefit standard to measure the effects of new regulation, and product liability cases have shown how risks and benefits can be measured and even quantified. Meal notes that judges are familiar with the how cost-benefit analysis works, providing another advantage to the litigator.
On the other hand, measuring the cost of risks and the costs of controls runs up against the problem of measurement. Murphy makes the case that measurability does not mean quantification, and the main goal should be to make different types of measurements comparable. Meal expresses skepticism, noting that cyber security involves intangible and non-cognizable (and therefore legally non-existent) risks. If these barriers can be reduced, however, the cost-benefit approach may provide a new and better solution to firming the fluid notion of “reasonable” cyber security.