The RSA Conference 2021 Virtual Experience is happening May 17-20 and Symantec, as a division of Broadcom, will be providing a summary of some of the leading stories from the conference to help you stay informed.
You’ve been hacked. Data has been stolen. Now come the lawsuits. Unless you have taken reasonable measures to protect sensitive data, your organization could be liable for damages running into the hundreds of millions of dollars. But you did take reasonable measures, didn’t you? Maybe, but the definition of reasonable has been batted around more than a typical puck in the Stanley Cup Playoffs.
To come to grips with the meaning of reasonable measures in the context of data protection, The Sedona Conference convened a working group that produced a report in November 2020. Key members of that group shed light on the report’s findings in a virtual panel discussion at the online RSA Conference 2021 on Wednesday.
Unless you have taken reasonable measures to protect sensitive data, your organization could be liable for damages running into the hundreds of millions of dollars. But you did take reasonable measures, didn’t you?
“Exploration began nearly three years ago. The law was all over the place,” said Bill Sampson, partner at the law firm Shook, Hardy & Bacon and editor-in-chief of the report. Agencies, Industry and the courts all refer to reasonableness, but, said Sampson, “There was uncertainty about what it means and how to apply it.”
The Sedona working group sought to develop a test for reasonableness, taking into account the interests of the different parties and striking a balance between the costs and benefits of implementing specific security measures. While all panelists agreed that a definition of reasonable is essential and voiced support for the Sedona report in laying out ground rules, the different perspectives of each panelist show there will be ongoing contention regarding the word for some time to come.
Cost vs. Benefit
The Sedona Conference’s “Reasonable Security Test” establishes the rule of thumb that the cost to the data custodian of implementing security measures should not be greater than the benefit the tighter security yields to the data owner.
In a hypothetical example, the panel discussed a breach suffered by a company that created a social media app that collects health data from senior citizens’ personal devices and web browsers. The application did not include multi-factor authentication (MFA), a data access protection measure that is widely recognized as highly effective.
“MFA should be used for internet-facing applications, and MFA should be required for remote access. You need to train users for MFA,” said Phyllis Lee, senior director of controls for the Center for Internet Security (CIS). “We believe that MFA is better than just username and password, and we believe it is achievable for most organizations.”
But, the discussion revealed, the issue is not always so clear-cut in practice. For example, Chris Cronin, principal at HALOCK Security Labs, said getting customers to use MFA faces obstacles, including slower application performance. And the extra step MFA requires to log onto an app deters seniors, resulting in lost business.
In this case, as in all cases, however, the costs and benefits of a technology would have to be weighed against each other.
Such a case would attract the attention of the Federal Trade Commission (FTC), asserted James Trilling, attorney at the FTC. “In cases like this, the FTC would make contact and demand heightened protection. A lot of seniors are using this app,” noted Trilling, adding the breach would cause them to be targeted by scams, as well as identity theft once the data appeared on the dark web. “To determine whether the app developer did act reasonably, the FTC would ask why they did not use MFA,” said Trilling.
In this case, as in all cases, however, the costs and benefits of a technology would have to be weighed against each other. David Cohen, counsel at Orrick, Herrington & Sutcliffe, LLP, who defends companies against damage claims resulting from security breaches, asserted, “You need to make sure the benefits are not overstated and the costs are not understated.” MFA, he explained, could lower risk, but it’s necessary to measure how much by comparing MFA security to non-MFA security measures.
“And how much would MFA have decreased the risk of the data being stolen?” Cohen continued. Without that knowledge, it would be impossible to understand the cost and benefit of implementing MFA. Further, he explained, not every breach in which data is stolen results in consumer harm. “Not all scams work,” he pointed out.
And Cohen agreed with Cronin that the costs of MFA would have to be factored in, including the technology, management labor and customer support – not to mention the lost business of seniors who would abandon the service rather than use MFA. Trilling, however, rejoined that some consumers might never have used the app because it did not have MFA, a valuable security feature they desired. “Were choices presented to consumers, and if not, why not?” he demanded.
While the Sedona report is not the final word on what security measures are reasonable, it’s a good start, the panelists agreed. Said Trilling, “The framework of the test could facilitate a useful discussion, and it would allow disparate views to be exchanged.”
We encourage you to share your thoughts on your favorite social platform.