“Reasonable” and “adequate” seem like benign terms — until you have to litigate using them as a standard for adequate data security. Over the coming years, the definition of “reasonable security” (and the alleged failure of companies to maintain that standard) will likely be much debated and litigated, costing companies millions of dollars due to the difficulty of agreeing and evidencing this level of safeguards. The only apparent certainty of a “reasonableness” standard in California is that the plaintiffs bar will sue to find out which combination of security controls (or lack thereof) will determine victory for the inevitable onslaught of class action cases.
Most data protection laws and regulatory agencies have historically lacked specificity regarding the minimum necessary controls for adequate data security. For example:
Consequently, many information technology organizations have focused instead on aligning their operations with recognized security frameworks such as the International Organization for Standardization (ISO) 27001, Payment Card Industry Data Security Standard (PCI DSS), National Institute of Standards and Technology (NIST) and others.
As states begin to impose more prescriptive, stringent standards for heightened security for the personal information of their residents, companies must determine how to define and maintain reasonable security or face greater consequences, including a private right of action. This article looks at two states that have recently passed legislation that follows Massachusetts’ lead, providing greater detail regarding what is meant by “reasonable security,” in a trend that shows no signs of slowing. While the term may be interpreted slightly differently across state lines, there are several commonalities, as shown through the examples given below.
Last year, New York enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), amending the state's data breach notification law. The SHIELD Act introduces significant changes, including expanding the definitions of “private information” and “breach,” thereby increasing the likelihood that companies will trigger certain requirements under the law. The act, which took effect October 23, 2019, also introduced new “Data Security Protections” to the New York State General Business Law. These new standards, referred to as the “reasonable security requirement,” take effect March 21, 2020, and apply to persons or organizations that hold electronic private information of a New York resident. Under the law, these reasonable security safeguards include:
The groundbreaking California Consumer Privacy Act (CCPA), which took effect January 1, 2020, contains many new or expanded privacy rights for consumers. One of its most impactful new requirements is contained in Section 1798.150, concerning the liability for companies that suffer a breach of personal information due to the failure to implement and maintain reasonable security procedures and practices. Fenwick previously summarized the reasonable security implications of the CCPA, suggesting that businesses benchmark their controls against the 20 Center for Internet Security Controls (CIS Controls), identified by the California State Attorney General as the “minimum level of information security that all organizations that collect or maintain personal information should meet.” These controls relate to monitoring network connections, limiting user and administrative privileges, performing regular vulnerability assessments and updates, and training, among other things. Unlike many other laws, the CCPA includes a private cause of action against the company for failing to maintain reasonable security and incurring a data breach. If a company does experience such a breach and is subject to a private cause of action, it has an opportunity to respond to the allegation and to cure the defect within 30 days from notice of the private right of action.
Companies must recognize the rising bar for security programs and standards and act now to review and strengthen their information security controls.
Sample Excerpt of Control Inventory
Excerpt of Fenwick's Reasonable Security Questionnaire
Sample Strategic/Remediation Roadmap