Statutory regimes such as GDPR and CCPA have already raised the stakes around protecting data. But with privacy and security becoming increasingly important variables in the work-from-home (WFH), peripandemic reality that has become the new normal for nonessential businesses, the question of what is ‘reasonable’ arises.
In this new and ever-evolving environment, everyone has a different read on reasonableness — from governors facing the critical decision of whether to lift protective orders, to citizens deliberating whether to wear a mask during their morning walk. Even my dog thinks it’s reasonable to solicit a treat every time I walk by my kitchen (note: I’m usually on my way there to get one myself). Clearly, expectations shift in concert with circumstances, not just regulations.
In particular, with increased reliance on platforms like Zoom and Houseparty — which have both been subject to scrutiny for fallibility — to provide the continuity needed to maintain meeting schedules and social connectivity, society is very much dependent on the best efforts of sometimes-nascent technology companies to hold credentials under lock and key and apply best efforts in their security practices. Similarly, consumers play a huge role in this equation to the extent they themselves fall short of best practices — through password reuse or failure to implement two-factor authentication.
Hackers, too, are adjusting their exploits to optimize opportunities within the coronavirus-threat landscape with an uptick in phishing attacks, denial of service attacks, ransomware, malware-spawning COVID-19 Maps, and cyberattacks targeting organizations being hit the hardest on the front lines of the pandemic — medical centers, testing facilities, and the World Health Organization.
So the question seems unavoidable: with an uptick in WFH (often DIY) environments that have unexpectedly spun up in the wake of coronavirus state-at-home orders, will companies be able to meet the reasonableness standard of regulations and consumer expectations about how their information is protected? In many ways that depends on how we define reasonableness.
The Origins Of Reasonableness
Reasonableness is rooted in a duty to protect and used to assess whether a set of behaviors meets or falls short of the requisite levels that the duty requires. There are serious repercussions across all industries for falling short.
Professional standards of care are more stringent than ordinary ones and are measured based on behaviors expected from a skilled professional in the same trade. According to CSO magazine, for an action to be reasonable, it has to be done objectively as a reasonably prudent professional in the same or similar circumstances.
In order to guide financial institutions toward best security practices during the nascence of the internet, the Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999, laid out guidance for financial services companies to explain their information-sharing practices to their customers and to safeguard sensitive data. The resulting Interagency Guidelines Establishing Standards for Safeguarding Customer Information remain valid guideposts 20 years later, describing a process that starts with identifying corporate assets and conducting periodic risk assessments, to implementing, monitoring, and adjusting those controls regularly.
According to Thomas J. Smedinghoff in ‘An Overview of Data Security Legal Requirements for All Business Sectors’, rather than describing actual behavioral expectations, “the emerging legal standard requires companies to engage in an ongoing and repetitive process that is designed to identify and assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.” The exact security measures that are reasonable for that specific company are up to the company based on their specific regulatory requirements, risk profile, and crown jewels.
A Shape-Shifting Variance
So, how much diligence is enough to prove up reasonableness? State breach laws layer onto privacy regimes, and industry-specific regulations guarantee that there is a patchwork approach to coming to an exact assessment. And while regulators have impact on defining reasonableness, judges and juries — who are often not the best situated from a technical standpoint — are often the arbiters of reasonable security when breach actions are adjudicated in court, according to Robert Braun, a partner at Jeffer Mangels Butler & Mitchell LLP who specializes in cybersecurity and privacy.
It takes a veritable village of infosec professionals to assess and execute against cyber risk. Resources run the gamut depending on budgets, but are often unhelpful if not properly used. And access to tools and outside experts is not a panacea. In fact, a growing sense of “alert fatigue” is the reality of an otherwise-attentive security operations center.
Notably, the new COVID-19 WFH workplace means heightened online activities and a workforce that is primarily working from home and, at the same time, subject to layoffs and furloughs, creating the perfect breeding ground for insider threats.
Steve Durbin, managing director of the Information Security Forum, a London, U.K.-based authority on cyber, information security, and risk management shares in a recent article in Security Magazine that “[e]mployees subject to new working arrangements may well react maliciously due to limited hours, lowered compensation, reduced promotion opportunities, and even expectations of redundancy. These concerns at work can be compounded by increased levels of stress outside of the work environment due to worries about the health of their families, livelihood and uncertainty about the future. Under these conditions, employees might become resentful or disgruntled towards the organization, resulting is occurrences of information leakage and theft of intellectual property.”
What’s At Stake
With organizations increasingly vulnerable to cyberattacks given the distribution of their workforce outside of protective firewalls due to COVID-19 era adaptations and attackers’ ability to devise new, more-nefarious schemes which seek out vulnerabilities like white on rice, the stakes to get security right have never been higher. Public sentiment is fragile and fickle — with swaths of users moving from one tool to the next based on ever-changing perceptions around usability, security, and functionality.
According to Gerry Beuchelt, Chief Information Security Officer of Log Me In, the perception of inferior security can be just as damaging as the deficiencies themselves. Perceived vulnerabilities or noncompliance can leave a stain on an organization that will be hard to rinse out.
Because there is no one-size-fits-all approach to security, perhaps we can define ‘reasonableness’ as a systematic defense — one that is informed, iterative, collaborative, and well-documented. And for those stakeholders within the organization who are at the helm of lodging the defense itself, here’s hoping that they have the drive and a deep-enough bench to keep working collaboratively and incessantly across the entire organization (and with outside experts, when appropriate), to continually gain a better understanding of the attack vectors and techniques and tools to shut those vectors down, and above all, improve on the plan from the day before.
Jennifer DeTrani is General Counsel and EVP of Nisos, a technology-enabled cybersecurity firm. She co-founded a secure messaging platform, Wickr, where she served as General Counsel for five years. You can connect with Jennifer on Wickr (dtrain), LinkedIn or by email at dtrain@nisos.com.