The legal risks associated with cybersecurity continue to increase, as regulators and plaintiffs’ lawyers become more and more aggressive in bringing cybersecurity claims under existing laws and as legislatures continue to enact new ones. A key element of many of the cybersecurity claims brought under these laws is a requirement to show that the company in question failed to implement “reasonable” security for personal information. California’s new Consumer Privacy Act (“CCPA”), for instance, allows consumers to sue businesses for statutory damages when specified types of personal information are subject to unauthorized access and exfiltration, theft, or disclosure because of a failure to implement and maintain “reasonable” security measures and the business has not cured the alleged violation within the CCPA’s pre-suit period. Cal. Civ. Code § 1798.150. Even though consumers often suffer no injury in a data beach, the CCPA provides for statutory damages of $100–$750 per consumer per incident.
But what, exactly, is the legal test for determining whether a company has implemented “reasonable” cybersecurity? Unfortunately, the answer is not clear. And this is a particularly serious problem given that the consequences of being found not to have “reasonable” security in place can be so severe.
In a new paper just released for public comment, Commentary on a Reasonable Security Test, the Sedona Conference—a renowned research and educational institute dedicated to the advanced study of law—seeks to fill the gap by proposing a test for “reasonable” security. The proposed test is of use not only to adjudicators tasked with applying the nebulous “reasonable security” requirement, but also to businesses and other entities seeking to assess whether they pass the requirement.
The Commentary explains that its proposed test is designed to be consistent with models for determining “reasonableness” that hav ..
Support the originator by clicking the read the rest link below.
