[BreachExchange] What Does “Reasonable” Data Security Mean, Exactly?

Destry Winant destry at riskbasedsecurity.com
Mon Jul 23 20:11:17 EDT 2018


https://www.natlawreview.com/article/what-does-reasonable-data-security-mean-exactly

One of the most bedeviling aspects of data privacy and security law
concerns the concept of “reasonable” data security, which has become
the default statutory and common law standard.  The FTC began
articulating a reasonableness standard in the early aughts, when the
Commission first began scrutinizing companies’ data security
practices.  Companies for years quietly grumbled about the vagueness
of this standard, which isn’t defined in any regulations or federal
statutes. Critics obtained a recent victory when the Eleventh Circuit,
in LabMD v. FTC, struck down an FTC judgment on grounds that the
relief sought by the FTC against LabMD– implementation of reasonable
data security practices — was too vague to be enforceable.

Meanwhile, some 18 states have passed laws requiring businesses to
implement reasonable data security practices. Very recently,
California passed a new privacy law, the California Consumer Privacy
Act (CCPA), which provides consumers with a private cause of action
for the unauthorized access to and exfiltration, theft or disclosure
of personal information in violation of a business’ duty to provide
“reasonable data security procedures and practices.”  Consumers can
initiate individual or class action claims seeking statutory damages
of $100-$750 per consumer per violation.

The GDPR, which has extra-territorial application and a draconian
penalty structure, has a very similar standard, requiring data
controllers and processors to implement “appropriate” technical,
physical and administrative controls to protect personal information.

The principle that companies must provide for reasonable data security
is also the basis for many data breach class actions.  Common law
theories of liability, such as negligence, typically assert that
businesses have a duty to provide consumers with reasonable data
security.

The concept of “reasonableness” itself is a notoriously vague standard
that often turns on whims of the fact-finder for highly case-specific
reasons, making it difficult for a business to draw clear lines.  To
complicate matters further, what constitutes reasonable data security
may shift depending on the nature of the data held by the business,
the industry, and the scope of threats.  Reasonable for a Fortune 100
technology company may not the same as for a small or medium sized
company. Of course, in the mind of many legislators and regulators,
opting for a flexible standard like reasonableness may be preferable
to imposing strict granular requirements that may be unduly burdensome
to small businesses.  Under this school of thought, the definition of
“reasonableness” will be fleshed out by future courts and through
regulatory enforcement actions.

But this hasn’t happened. To date, none of the data breach class
actions that have proceeded past the summary judgment phase has
litigated to judgment the issue of reasonableness.  With the exception
of cybersecurity regulations issued by the New York Department of
Financial Services, none of the states that have passed data security
laws has explicitly stated what reasonableness means or set forth a
comprehensive list of processes/policies that a company should have in
place.  The Eleventh Circuit, as noted, has ruled that the FTC
standard of reasonableness is too vague to be enforceable as a civil
penalty, but neither Congress nor the FTC has offered any more
granular guidance on the meaning of reasonableness.  The GDPR does not
define “appropriate” or provide guidance as to its practical
application.  In short, there is a significant hole in the center of
data security law that desperately requires definition, particularly
as the possibility of substantial statutory damages and civil
penalties for failing to maintain reasonable data security becomes a
reality for US businesses.

In an upcoming series of blog posts, we’re going to more closely
examine the concept of reasonable data security and offer our thoughts
on what policies and practices businesses ought to adopt to meet this
elusive and slippery standard.


More information about the BreachExchange mailing list