New Series: The Quest for “Reasonable Security”
SERIES INTRO
Not only can poor data security affect consumers’ trust in an organization or government, but it also has immense national security implications. Leaders at home and abroad view data as a strategic resource for military advantage and in many other applications. Humans have long sought solutions for securing sensitive information from unauthorized access, whether intentional or unintentional.
But there is immense value in bypassing security measures to access sensitive information—and those threats constantly lurk in the shadows. A well-known example is British cryptanalyst Alan Turing’s decipherment of the German Enigma code, which many believe helped shorten World War II by several years. With these potential threats in mind, nations and organizations of all sizes must make data security a top priority rather than an afterthought.
Unfortunately, few organizations are proactive with their data security. A 2022 IBM report revealed that 83 percent of organizations studied incurred more than one data breach, with the average total cost at an all-time high of $4.35 million dollars per incident. These breaches undoubtedly have affected consumers, as 60 percent of these organizations increased product and service prices in an effort to recoup costs.
Due to the implications of such data breaches, almost all state and federal privacy laws include a short provision mandating that covered entities maintain “reasonable security” measures to secure data. However, they generally fail to explain how reasonable security is obtained. Importantly, data privacy and security are inextricably connected—one cannot exist without the other. Thus, states often provide provisions in their data privacy laws that address data security concepts through data minimization, data retention/deletion schedules, and other means.
As an example of how this can play out, in October 2023, hackers accessed 6.9 million 23andMe users’ ancestry data by reusing previously compromised login information and passwords—a technique known as “credential stuffing.” Reports indicate that 23andMe denied culpability for this data breach because affected users failed to adequately monitor their usernames and passwords. Meanwhile, victims of the breach claim that 23andMe’s data security was insufficient.
Following this incident, 23andMe enhanced its security requirements—all users must now use a two-step verification process or an authenticator app to secure their account. However, with knowledge of increased numbers of security breaches that compromise millions of users’ login credentials, one could argue that 23andMe should have already required enhanced security measures like multifactor authentication, stringent password requirements, or other means to secure user accounts. This argument will be battled in courtrooms. But importantly, regardless of judicial decisions, users might lose trust in 23andMe’s data security practices and choose not to use their services. To avoid this scenario, organizations must routinely reassess their security practices and how “reasonable security” might have evolved.
This series will explore how several state and federal laws address reasonable security and data security more broadly. It will also look at how regulatory and state enforcement actions, industry, and federal security standards interpret reasonable security.
CURRENT POSTS
FUTURE POSTS
Part 2: Using International Law, Federal Legislation, and Executive Orders to Illuminate Reasonable Security
Part 3: Deducing Reasonable Security from Federal Regulations, Rulemaking, and Enforcement Action