2 minute read
Reasonable Cybersecurity is not a technological standard; it’s a legal and managerial standard. The nature of cyber threat is very intense. We see example after example of organizations that are spending a lot of money on cyber risk management, and yet they continue to get hacked. We need to practice Reasonable Cybersecurity.
The Reasonable Person Standard
If you’re in a noncriminal lawsuit, at some point the jury is going to be asked to consider something from the perspective of the reasonable person. The Reasonable Person is considered to be someone who is acting with the information that jurors have been given and is assumed to be acting reasonably. The reasonable person is someone who acts rationally under sometimes unusual circumstances.
Who Defines Reasonable Cybersecurity?
Of course, government regulators like the Federal Trade Commission play a part in defining reasonable cybersecurity. But it’s more. Reasonable Cybersecurity is defined from the sum total of the cases, jury findings, facts, and circumstances within each case. Furthermore, it’s defined within specific contracts between business partners and business associates. Definitions of reasonableness are seen in an affiliate agreement, an NDA, supply chain contract, vendor contract. Everyone defines reasonable cybersecurity differently, and it’s a moving target. Something that was reasonable cybersecurity three years ago is not going to be reasonable cybersecurity now.
What Constitutes Reasonable Cybersecurity?
If you’re an executive, manager, or IT security professional you’re probably thinking this is annoying, nebulous, and difficult. You may be asking yourself, “How in the world do I deal with something this vague?” Most of us are used to looking at a law or a regulation and then converting it into a checklist. It would be nice if we could go down a list, check the boxes, and be confident that what we did constitutes reasonable cybersecurity in a court of law.
Mindful Cybersecurity and Good Cyber Hygiene
Certainly, you can use checklists to your advantage when you’re coming up with your own reasonable cybersecurity program, but ultimately the choice to use reasonableness demands a constant fact-specific inquiry. Reasonable Cybersecurity is about mindful cybersecurity and good cyber hygiene. It’s something that you can point to and say, “Look, we did what we could.” Perhaps a way to think about it is like the famous coach John Wooden from the UCLA days. He defined success as doing your best; not competing with someone else. Think of reasonable cybersecurity like that. Did you do the best that you could do?
You don’t need to spend all of your money on cybersecurity, but you have to spend what is reasonable. If you’re a mid-sized company, with revenues of $200 million a year, it’s not reasonable to install a firewall and say, “I’m done.” It really varies. There are tools. If you like checklists, checklists can help, but they’re only a component of a reasonable cybersecurity program.
Next week we’ll continue the discussion on what’s reasonable in terms of cybersecurity.