Can Your Cyber Security Program Meet the Reasonableness Test?
By Chris Bullock, Managing Member and CEO and Ashley Ferguson, Managing Member and President
The Legal Origins of Reasonable
In criminal and tort law there is a term used to explain a hypothetical person by which the accountability of civil and criminal liability can be measured against. The term is known as “reasonable person”. Questions such as “what would a reasonable person have done in this selfdefense scenario” or “what would a reasonable person have done if placed in this moral dilemma” are raised in various cases regularly in courts across the United States. The “reasonable person” is the standard by which many cases are decided. The term “reasonable person” is considered to be an objective term that describes a hypothetical individual who would exercise average care and judgement in circumstances without any specialized skills. The very term “reasonable” is often times found in many contracts between organizations large and small as it relates to cyber security measures. It can also be located in government regulatory language holding organizations accountable for ensuring they maintain a “reasonable” cyber security program. The various contract and regulatory language specifics call out that “reasonable” cyber security measures must be in place at an organization. Organizations must ensure that their cyber security programs can meet this reasonableness test if challenged in a court of law and be able to articulate why their program is in fact reasonable. One can argue that theoretically based on the legal definition of reasonable, the reasonableness of a cyber security program becomes more stringent over time due to the expansion of the average person’s knowledge about cybercrime resulting from daily exposure to technology and news reports about cyber security risks.
Corporate Executives Expected to Have a Higher Knowledge of Effective Cyber Security Today
In 2017 there were approximately 830 documented data breaches. In 2018 that number rose to approximately 945 breaches. In 2019 the upward trend is expected to continue. Data breaches are highly media centric events, particularly if they are large in scope and include personally identifiable information (PII). The average person is subjected to these media reports via television news stories, radio news stories, social media, direct data loss notifications and a litany of other media outlets. The average person is also informed of the penalties including civil liability, regulatory sanctions, and even criminal prosecutions that can occur as a result of data breach events. We no longer live in a society where the average individual does not understand what implications come with not securing valuable, sensitive, and regulated data. A corporate executive, fiduciarily responsible officer or Board of Directors member that is in a position to directly affect an organization’s cyber security program is expected to have an even higher “average knowledge” of the importance of cyber security and the general components of what makes up an effective cyber security program. Courts are beginning to hold these individuals more accountable and we expect this accountability to evolve further based on the expectation their knowledge of risks will be more keenly developed.
What is a Reasonable Cyber Security Program?
What is a “reasonable” cyber security program? In recent years there have been various cyber security frameworks released in response to an array of standards and regulations. The list of acronyms and expectations continue to grow right along with the risks and exposures. Various standards and regulations exist across industries and across disciplines with sometimes conflicting expectations. With such varying expectations how then can courts and fiduciarily responsible corporate officers know what is legally “reasonable” when it comes to a cyber security program? To help analyze this further it might help if we continue to compare some of the criminal laws unrelated to cyber security to this test of “reasonableness”.
Analysis of Reasonableness Compared with Criminal Law Examples
If we look at DUI law for instance, we will find that there is a set numeric blood alcohol level which is seen as an absolute determination of if someone is legally intoxicated. However, there is also a term within the law that circumvents this set number and allows a person to be charged under a lower numeric value if that person is determined to be a “less safe driver”. This basically means a driver was involved in an accident or exuded some erratic behavior while being under the influence of alcohol yet didn’t register at a value equal to or above what is considered an intoxicated driver. The driver was considered DUI because they had a wreck or unusual circumstances while under the influence of alcohol and their condition was articulated by a police officer whose experience exhibits his/her knowledge of what constitutes a safe driver due to their daily exposure to driving behaviors as part of their job. The law considers every element of a situation including those elements that are applied based on a set of circumstances and the opinions of experts along with the strictly defined bright line rules. In our Legal Advisory and Executive Advisory practice, we are starting to see a similar shift in how cyber security program “reasonableness” is beginning to be analyzed in the courts during civil litigation and we expect it to be a new weapon in criminal prosecution in extreme cases of negligence and government regulatory violations.
CISO’s and Advisory CISO’s as Expert Witnesses
Cyber security frameworks, along with the expert opinions and experience of former Chief Information Security Officers (CISOs), are beginning to be used to define what a “reasonable cyber security program” is within litigation such as data breach suits. The average care and judgement corporate executives and fiduciaries are expected to exercise when defining and supporting budgets and building programs around cyber security are expanding. As knowledge and exploitation of cyber security risks increase, the public’s expectation of executive accountability also increases. Look for expert witnesses to be utilized even further by both plaintiffs and defendants in data breach cases to help establish the true “reasonableness” of a cyber security program and budget. Ideally placing experienced CISOs on the stand as third-party experts for either plaintiff or defendant side litigation will become the norm just as police officers are placed on the stand as experts in various criminal and civil cases. Advisory CISOs are beginning to hold enormous value as expert witnesses due to their experience providing CISO functions across multiple organizations and industry verticals, in addition to being seasoned cybersecurity leaders with experience establishing programs from birth to maturity in a variety of environments. So how does all of this provide the answer to what a “reasonable cyber security program” is when placed under legal test?
Executives and the BOD must be Prepared to Articulate Under Legal Test
In business law, attorneys and the courts often reference duty of care. Duty of care is defined as the expectation that if a person’s actions do not meet the standard of care, then the acts are considered negligent, and any damages resulting may be claimed in a lawsuit for negligence. In this definition the “reasonable person” term is used again. Given the widely published cyber security frameworks available today, the numerous cases in the news regarding data breaches, and the access to cyber security expertise in the business world, a corporate executive must be prepared to articulate why they believe their cyber security program is “reasonable” and feel confident that it can stand the analytical evaluation of a seasoned CISO placed on the stand as an expert witness. The ability to answer questions regarding proper budget allocation for cyber security and top down support for risk mitigation is crucial. Inevitably this will be the tough legal test and culmination of circumstances that executive leadership and the Board of Directors are faced with if ever brought under suit or investigated by a government regulatory agency.
Don’t Be the Organization that Fails the Test
When placed under the tough “reasonableness” test, executive leadership of organizations must be able to clearly articulate key cyber security strategy decisions such as why they provided a certain budget allocation to cyber security, why they hired or did not hire a CISO, why they did or did not utilize third-party independence in the evaluation of their cyber security risk and ultimately why they accepted certain risks as the fiduciarily responsible officers of the organization if it resulted in the compromise of numerous personally identifiable pieces of customer information. Evaluating the various lawsuits around data breach events demonstrates the courts and society are trending toward no longer tolerating the excuse of ignorance about cyber security based on its technical complexity and are beginning to expect knowledge of its importance as part of the knowledge of a “reasonable person”.