Advanced Cyber Security Center Panel Explores Reasonableness in Cybersecurity

Christopher Escobedo Hart
Foley Hoag LLP - Security, Privacy and the Law
Contact
LinkedIn
Facebook
X
Send
Embed

I had the pleasure of moderating an excellent panel at the Advanced Cyber Security Center’s annual conference on November 4. The panel’s topic for discussion was “What is Reasonable in Cybersecurity: Responsibility and Accountability for Cybersecurity Practices.” I learned a great deal from our excellent panelists, Gus Coldebella (Fish & Richardson), Deborah Hurley (Harvard University), and John Krebs (Federal Trade Commission), as well as from the audience’s questions.

The benefit of a cybsecurity practice being “reasonable” is that, if a breach occurs or data is otherwise compromised, a business can defend and justify its practices to regulators, law enforcement, and the public. But even more than that, a “reasonable” practice is one that can prevent and mitigate harms – which is ultimately what cybersecurity regulations seek to accomplish.

Here are some of my thoughts arising from the panel’s discussion:
• Cybersecurity is not a merely an IT issue. It is also a business issue and a legal issue. But it is also never one of those three things alone. Good cybersecurity practices are holistic: what is a good IT practice is also a good business practice and also can act to shield a company from liability when the worst happens.
• Good risk management practices are largely “translatable” to risk management in cybersecurity.
• That said, the possibility of “catastrophic risk” makes cybersecurity different. Data being compromised can be far beyond a mere nuisance; it can pose an existential risk.
• What deems a company’s actions with regard to cybersecurity “reasonable”?  Achieving “reasonable” is difficult in any context, and it can be bewildering given the variety of state and federal laws and regulations (not to mention international laws and standards). However, best practices and company policies do not differ greatly from jurisdiction to jurisdiction, and this goes a long way to establishing what is “reasonable”. Well-thought-out policies that are tied to a company’s own unique business and infrastructure; training employees; accessing and using data only as needed; repeatedly auditing systems; these are good practices that can help shield businesses from liability when the worst happens, and are smart business practices to mitigate risk.

Kudos to the ACSC for putting on an excellent conference.

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP - Security, Privacy and the Law | Attorney Advertising

Written by:

Foley Hoag LLP - Security, Privacy and the Law
Foley Hoag LLP - Security, Privacy and the Law
Contact
more
less

Foley Hoag LLP - Security, Privacy and the Law on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide