I had the pleasure of moderating an excellent panel at the Advanced Cyber Security Center’s annual conference on November 4. The panel’s topic for discussion was “What is Reasonable in Cybersecurity: Responsibility and Accountability for Cybersecurity Practices.” I learned a great deal from our excellent panelists, Gus Coldebella (Fish & Richardson), Deborah Hurley (Harvard University), and John Krebs (Federal Trade Commission), as well as from the audience’s questions.
The benefit of a cybsecurity practice being “reasonable” is that, if a breach occurs or data is otherwise compromised, a business can defend and justify its practices to regulators, law enforcement, and the public. But even more than that, a “reasonable” practice is one that can prevent and mitigate harms – which is ultimately what cybersecurity regulations seek to accomplish.
Here are some of my thoughts arising from the panel’s discussion:
- Cybersecurity is not a merely an IT issue. It is also a business issue and a legal issue. But it is also never one of those three things alone. Good cybersecurity practices are holistic: what is a good IT practice is also a good business practice and also can act to shield a company from liability when the worst happens.
- Good risk management practices are largely “translatable” to risk management in cybersecurity. That said, the possibility of “catastrophic risk” makes cybersecurity different. Data being compromised can be far beyond a mere nuisance; it can pose an existential risk.
- What deems a company’s actions with regard to cybersecurity “reasonable”? Achieving “reasonable” is difficult in any context, and it can be bewildering given the variety of state and federal laws and regulations (not to mention international laws and standards). However, best practices and company policies do not differ greatly from jurisdiction to jurisdiction, and this goes a long way to establishing what is “reasonable”. Well-thought-out policies that are tied to a company’s own unique business and infrastructure; training employees; accessing and using data only as needed; repeatedly auditing systems; these are good practices that can help shield businesses from liability when the worst happens, and are smart business practices to mitigate risk.
Kudos to the ACSC for putting on an excellent conference.