Be Reasonable

In cybersecurity and data privacy conversations with nonprofits, I like to use something called the "reasonableness standard." It's an actual legal term with a whole history based on work by a person with the actual named "Learned Hand" (go ahead, look it up - I'll wait).

I like to explain it like this (I'm NOT a lawyer).

Imagine you donated some money to a nonprofit and 2 years later you were notified by that nonprofit that your data had been involved in a breach. You ask them some questions:

"Why did you still have my data two years later?"

"What did you do to protect my data?"

If you find their answers reasonable, you are less likely to litigate and less likely to win if you do litigate.

On the other hand, if the answers look like this:

• Failed to provide reasonable or appropriate security for the personal information that they collected and maintained about consumers.
• Failed to implement appropriate password controls. As a result of this failure, employees often used default, weak, or identical passwords;
• Failed to apply adequate multi-factor authentication for both employees and customers to protect sensitive consumer information.
• Failed to prevent data theft by monitoring for unauthorized attempts to transfer or exfiltrate consumers’ personal information outside the company’s networks;
• Failed to perform regular assessments as to the effectiveness of protection measures;
• Failed to implement and enforce appropriate data retention schedules and deletion practices for the vast amounts of consumers’ personal information stored on its network;
• Failed to test, audit, assess, or review its products’ or applications’ security features; and conduct regular risk assessments, vulnerability scans, and penetration testing of its networks and databases;

I'm guessing you wouldn't think that was too reasonable.

Well, those are just some of the findings in the FTC post-mortem report following the Blackbaud February 2020 Breach. It's not a long report (just 7 pages), but it does NOT pull punches:

https://www.ftc.gov/system/files/ftc_gov/pdf/Blackbaud-Complaint.pdf

Not only does the report find that existing security practices were far from "reasonable" leading up the data breach, the report finds that Blackbaud further exacerbated potential harm by failing to accurately communicate with them during the investigation.

"...Blackbaud failed to accurately communicate the scope and severity of the breach in its initial notification to customers. Blackbaud’s actions caused or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumer or competition."

There's a concept in cybersecurity called "Left of Boom, Right of Boom."

What this idea gets at is that an effective cybersecurity program isn't JUST about preventing bad things from happening, it's also about RESPONDING to bad things to do happen to mitigate harm to the best of your ability. This report suggests Blackbaud performed poorly both LEFT and RIGHT of boom.

Now, most of us are not at billion dollar companies that will get investigated by the FTC and show up in the news if we have a breach. But I think it still is a lot better to be reasonable. When I'm working on cybersecurity programs for clients, this is a first principle question at the core of my work: "If this nonprofit suffered a breach, would our behavior be defensible? Would it be REASONABLE?

Let's be reasonable.