“Reasonable” Cybersecurity and the Problem of Opportunistic Lawsuits

By Shaun Waterman , Contributing Writer

It’s a sad but true fact of modern cybersecurity, experts say, that businesses which are victims of a cybercrime attack are often revictimized again shortly afterwards—by opportunistic class action lawsuits.

“I think if you were to track down every data breach that’s been publicly reported, you’d find there’s an extremely high number of them where the victim company also got sued,” said Megan L. Brown, a former senior Department of Justice official and cybersecurity attorney with deep expertise in the field.

There’s no centralized national database of such lawsuits, which can be filed in state courts, nor is there a comprehensive register of publicly reported cybercrime attacks. So there’s no hard data, Brown said. But, she added, “I’m not personally aware of a single major data breach that’s been made public, which hasn’t been followed by a lawsuit, usually multiple lawsuits, and in some cases by regulatory action.”

Laws vary from state to state, but in most of them, plaintiffs can claim that businesses owe some duty to customers whose data they collect and store. Many have data protection or privacy laws that require businesses holding customer information to implement “reasonable” cybersecurity or data security measures to protect it.

Class action lawsuits are typically like tort cases—alleging breaches of that duty and seeking monetary recompense.

But that means the suits aren’t a good mechanism for enforcing cybersecurity standards, Brown pointed out. A regulatory or law enforcement action by a government agency can address security issues, “But these class actions are all about a payday. That’s how they’re set up. They're not about improving security,” she said.

But now, a small but growing handful of states are pushing back.

Historically, according to an analysis from the R Street Institute think tank, some state laws haven’t been very clear about how companies could fulfill their duty to their customers to keep their data secure. “The ‘reasonable’?standard [as a requirement for cybersecurity or data security programs] is quite common,” the author of the analysis, R Street Fellow Steven Ward, told CyberWatch, “But in some places, it is rather vague.”

That’s not necessarily a bad thing, he added. “You don’t want a standard that’s too prescriptive. It needs to be adaptable for each organization.” A useful standard, he explained, is one that’s?able to evolve as new threats emerge, technologies change, and best practices develop.

But vague standards, Ward pointed out, may open the door to opportunistic plaintiffs’ lawyers, who can expect a big payoff, in the form of a contingency fee, whatever the merits of their case.

“They call it sue and settle. There’s almost no downside to filing. These cases are very expensive [for the defendant] to fight in court,” Ward said, “All the incentives are lined up for them to settle, and that means a payout for the attorneys, regardless of whether they have a valid case or not.”

And the payouts can be substantial. In April, Planned Parenthood of Los Angeles proposed a $6 million settlement for a class action lawsuit following an October 2021 cybercrime attack that stole personal data, including medical records, about more than 409,000 patients. But despite the size of the settlement, and the fact that typically only 10 percent of class members (i.e., the patients) apply for the damages to which they’re entitled, most will end up getting as little as $66 and three years credit monitoring, unless they can document actual financial losses.

Affirmative Defense and Safe Harbor

Over the past few years, a small but growing handful of states have sought to stem the tide of opportunistic class actions. Six now have data protection or privacy laws offering some form of safe harbor or affirmative defense against lawsuits to businesses that have implemented “reasonable cybersecurity” measures. This means, in those states, a business that meets that standard typically can’t be sued unless it’s guilty of gross negligence or malfeasance.

Businesses can demonstrate they meet the standard by adopting one of a half-dozen sets of cybersecurity guidelines or frameworks developed by the federal government, commercial standards organizations, or cybersecurity nonprofits, including:

1. The Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), an agency within the U.S. Department of Commerce
2. ISO 27001 , a standard for information security published by the International Organization for Standardization (ISO)
3. The 18 Critical Security Controls originally developed by the SANS training organization and now maintained by the nonprofit Center for Internet Security (CIS)

These safe harbor provisions allow businesses in those states to inoculate themselves against opportunistic lawsuits, said CIS Executive Vice President and General Manager for Security Best Practices Curtis Dukes. “They make it very upfront and straightforward for organizations to say, ‘I need to, as part of my cybersecurity program, implement one of these frameworks, and then regularly measure myself against that.’”

The six states with safe harbor or affirmative defense provisions are:

1. Connecticut - An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses
2. Florida - Cybersecurity Incident Liability Act
3. Iowa - Affirmative Defenses for Entities Using Cybersecurity Programs
4. Nevada - State use of “reasonable security measures” to protect PII
5. Ohio - The Data Protection Act
6. Utah - The Cybersecurity Affirmative Defense Act

And “It’s?not just the states,” added Dukes, beyond these safe harbor provisions, there is a growing nation-wide consensus to use the “reasonable” standard as a way to set a minimum acceptable level of cybersecurity, and to define it through the use of one or more of the frameworks.

“More and more we’re seeing, not just state legislators, but regulatory agencies, state attorneys general and courts turning to this standard of reasonable cybersecurity as a way to hold organizations accountable,” explained Dukes. Prior to joining CIS in 2017, he spent more than three decades at the National Security Agency, culminating as its director of information assurance.

Moreover, the settlements or consent decrees emerging from these regulatory and enforcement actions increasingly referenced one or more of the frameworks as a way for businesses and other organizations to demonstrate compliance with the “reasonable” standard, Dukes said. “In the last two years, we’ve seen a rush of these settlements or orders, not just from the states, but from federal agencies.”

Working with lawyers in the CIS network, cybersecurity experts at the nonprofit produced A Guide to Defining Reasonable Cybersecurity, which defines common elements of the standard and, crucially, lays out a roadmap for businesses and other organizations to meet it by implementing the CIS Critical Security Controls.

These 18 controls—really 18 groups of controls, since most contain a series of measures that have to be implemented—evolve based on new threats and new technologies, said Dukes. They’re mapped against the latest data from real world attacks, to track their relevance, and regularly updated.

“Obviously, there’s other ways to meet [the “reasonable” standard], you could use the NIST cybersecurity framework or ISO 27001, but we chose to demonstrate how you can implement and show conformance using the CIS Critical Security Controls,”?said Dukes.

Implementation: Cyber Boots on the Ground

Although the frameworks and guidelines offer a roadmap for businesses who want to demonstrate they are meeting the “reasonable cybersecurity” standard, actually implementing them can be a challenge, especially for small and medium sized businesses, said Dukes, “They don’t have millions of dollars to?spend. They may not even have a cybersecurity specialist on staff.”

That is Pat Cooley’s world. He’s the CEO of IT Productivity, which provides managed cloud and security services to organizations in the Mid-Atlantic area. His customers range from non-profits with single-digit numbers of users, to medium sized CPA firms with many hundred.

Cooley said implementing the new “reasonable” standard had multiple benefits for the organizations he serviced. The guidelines and frameworks for reasonable cybersecurity “might be able to [help you] defend against a lawsuit for that breach,” he said. But more importantly, “They're also going to mitigate the possibility that [a breach] even happens” in the first place.

Cooley uses the Critical Security Controls with his customers and told CyberWatch the way CIS organizes and breaks down the implementation is key for him. “They have these three implementation groups,” he said, the first, IG1 is your “bottom-line essential cyber hygiene.” And the other two add additional layers of security from there.

Organizations need to be able to tailor a security program to their needs so they can manage their risk, said Cooley, “If you're a smaller business, maybe you only need to do the top three [safeguards] in that control,” which maps to IG1.

Regardless of size, businesses need to prepare now, he said, “It takes a year to go on this journey.” Even in unregulated sectors, businesses are increasingly facing pressure to demonstrate that they are managing their cybersecurity risks.

“You’re going to feel the push coming at you,” Cooley said, “whether that's third-party risk from one of your big clients asking a question … or it's your business insurance asking for something, or it's a data privacy issue… And unfortunately, if you wait for that to happen, it's too late.”

The Next Level: Reasonable Cybersecurity as a Federal Standard

There are at least two ways that “reasonable” cybersecurity or data security might become a broadly applicable federal standard.

Indeed, some argue that the Federal Trade Commission, armed with a mandate to police “unfair and deceptive” business practices that dates to 1914, has already effectively made “reasonable” cybersecurity a federal standard, and has laid down enforcement precedents.

Two years ago, the FTC filed a regulatory notice announcing its intention to publish a rule governing “commercial surveillance and data security practices,” but it hasn’t moved that effort forward since.

The American Privacy Rights Act (APRA ), the federal data protection legislation currently being drafted by the House Energy and Commerce Committee and the Senate Commerce Committee, also requires businesses to adopt “reasonable data security practices.”

It doesn’t link that requirement to any guidance or framework, but rather lays out a half-dozen elements (including vulnerability assessments and mitigation, staff training, and incident response) as minimum requirements for a reasonable program.

APRA also doesn’t offer any affirmative defense or safe harbor—and it might end up preempting existing safe harbors in state laws, according to R Street’s Ward. “It does preempt state law,” he said of APRA, “but there are all kinds of carve outs and exemptions. It’s not a strong preemption.” Safe harbors aren’t currently one of the carve outs, he added, but the bill was still being negotiated.