The Quest for “Reasonable Security” Part One: Obtaining Reasonable Security Using State Legislation and Enforcement Action as a Guiding Light
The first of its kind in the United States, California’s comprehensive data privacy and security law—the California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA)—has inspired other states to create their own data privacy and security laws. Significantly, the CCPA’s limited private right of action is based on an organization’s failure to implement or maintain reasonable security measures. The CCPA and many other state privacy and security laws include a short, vague provision that looks like this example from Virginia (give or take a few words):
“Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data…”
It is apparent that states value data security, as they have injected this provision into every comprehensive data privacy and security law. However, because what constitutes “reasonable security” is unclear, organizations can look toward the states to clarify how reasonable security is obtained through reports, legislation, and enforcement.
California’s Data Breach Report
In 2016, then-California Attorney General Kamala Harris released a report examining data breaches from 2012 to 2015. Not only did it reveal the increased magnitude and intricacy of data breaches impacting various industry sectors, but it also provided insights into how an organization could reach reasonable security through the 20 controls outlined in the Center for Internet Security’s Critical Security Controls (CIS Controls). Released in 2021, the current version (CIS Controls V8) outlines 18 critical security controls. CIS controls map to popular security frameworks including the Health Insurance Portability and Accountability Act, General Data Protection Regulation, National Institute of Standards and Technology, and International Organization for Standardization 27001. The report also recommended strong encryption and multifactor authentication options on consumer-facing accounts containing sensitive personal information.
Several of these frameworks predate most states’ comprehensive privacy and security laws, and some states have adopted security frameworks in lieu of comprehensive laws. For example, in a unanimous vote, Connecticut lawmakers passed H.B. 6607 to provide organizations adopting CIS Controls to use it as a defense for any claim alleging failures to implement reasonable security. Similarly, Ohio lawmakers provide organizations a “safe harbor” if they adopt an approved data security framework (including CIS Controls). Massachusetts took it a step further with a law that outlines security requirements, including standards for protecting personal information and computer-system security.
The Colorado Attorney General’s Office (CO AG) investigates and reports on organizations that fail to meet reasonable security standards. In 2022, Denver’s Savory Spice Shop was reprimanded for failing to implement administrative safeguards like a written information security program and an incident response plan. Further, it failed to implement technical safeguards including a web application firewall, checksum software, intrusion detection system, and long-term web server log storage. That same year, CO AG provided specific safeguards that Miami-based Carnival must implement and maintain in order to comply with Colorado law. These included employing a chief information security officer and implementing email security awareness, email filtering and phishing solutions, encryption, account access/control monitoring and audits, password management, multifactor authentication for remote access, firewalls, and penetration testing.
The California Attorney General’s Office (CA AG) also enforces its data privacy and security laws on organizations. In 2020, CA AG announced settlements against Glow and Anthem. Glow operates a fertility-tracking mobile app that stores personal and medical information. The settlement mentions Glow’s “basic security failures,” including failing to maintain account access control and password-management security. In comparison, the settlement with Anthem involved a well-publicized 2015 data breach. Anthem’s reported security failures included inadequate access restrictions, insufficient protection of account credentials, neglected security tool updates, and inadequate logging and monitoring of network activity to detect malicious actions.
While these state enforcement actions highlight unreasonable security practices, deducing what “reasonable security” means is still puzzling. Thus, states that enforce laws requiring organizations to meet reasonable security standards must examine recent court decisions to determine if their security laws are too vague and unenforceable.
Other state laws have taken a non-prescriptive approach to data security, with the goal of allowing organizations more flexibility to use employees’ institutional knowledge, experience, and training to implement security measures that best fit a given situation. But this approach might not be repeatable, efficient, or effective. For example, if an organization loses employees, the institutional knowledge might leave with them. Further, an organization might not have the resources to maintain reasonable security in a rapidly evolving technological landscape. Or, as in the case of the 23andMe data breach in 2023, what constitutes “reasonable security” can be debated without specific data-security requirements.
On the other hand, a prescriptive law might be repeatable even after critical employees leave an organization; however, it might not be the most efficient or effective approach and would not account for all the risks an organization encounters. Further, data security laws are often too slow to adapt to rapidly changing security issues. Even worse, prescriptive laws might encourage organizations to implement “check-the-box” compliance rather than an adaptive and robust security program. And while some organizations have sensitive data that warrants strong security measures, others do not. A one-size-fits-all solution would prevent these organizations from allocating resources to innovation, focusing instead on compliance with outdated laws. As adequate data security standards continue to evolve, lawmakers should keep a flexible, non-prescriptive approach in mind. Malicious actors will continue improving their methods, which is why “reasonable security” is reasonable until it is not. Laws should instead allow organizations to take a fact-specific approach when designing and implementing administrative, technological, and physical measures.
Future State Action Will Guide Organizations to Reasonable Security
In December 2023, the California Privacy Protection Agency (CPPA) released the Proposed Rulemaking Draft for Cybersecurity Audit Regulations, a mandate from the CPRA. The proposal highlights the steps a covered entity must take if it processes a consumer’s personal information and presents a “significant risk” to consumer security. In short, the draft borrows best practices from CIS Controls. It requires a covered entity to explicitly explain how they incorporate each cybersecurity component, why they believe a component is unnecessary (if applicable), and how their current safeguards provide at least equivalent security. Similarly, the Colorado Privacy Act (CPA) permits the state’s attorney general to “promulgate rules” to administer the CPA. And in January 2024, New Jersey passed a comprehensive data privacy and security bill that authorizes the director of the Division of Consumer Affairs in the Department of Law and Public Safety to promulgate rules and regulations to effectuate it.
Several states will look to introduce and pass comprehensive state data privacy and security or cybersecurity-specific laws this year. These potential laws—especially those that mandate rulemaking authority—could influence or guide how “reasonable security” is obtained.
Part 2: Using International Law, Federal Legislation, and Executive Orders to Illuminate Reasonable Security
Part 3: Deducing Reasonable Security from Federal Regulations, Rulemaking, and Enforcement Action