BlogLine

What Constitutes a Reasonable and Defensible Process?

2/27/19

By: John Goselin

Society has coalesced around the general principle that businesses, governments or individuals in possession of personal confidential information (whether medical or financial) or personal identifiable information have a duty to protect that information from cyber bad guys stealing it. The reputational damage and financial costs associated with a cyber incident cannot be ignored.
But how much protection is enough? How many safeguards is it realistic to expect those in possession of information to put in place to protect that information? In other words, is there a recognized standard of care where the possessor of confidential information can feel comfortable that the protections/safeguards they have put in place are consistent with what the rest of the world is doing? Can you feel comfortable as a business owner, officer, director or IT specialist that what you are doing is reasonable and defensible in front of regulators, judges and potentially a jury?
Five years ago, the U.S Department of Commerce’s National Institute of Standards and Technology rolled out the “Framework for Improving Critical Infrastructure Cybersecurity.” The NIST’s Cyber Security Framework was last updated on April 18, 2018, and is a 48-page process outline that businesses should consider adopting as they assess the appropriate cyber security safeguards for their specific circumstance. According to the NIST, the Framework has been downloaded more than 500,000 times. The NIST Framework is not a definitive list of precisely what steps you should undertake, but it outlines a process for addressing this extremely complex issue. With a vetted, federally-endorsed process, you and your business can credibly state that you took reasonable steps to address a known problem and that the security measures you implemented were the result of a reasonable and defensible process. You will have something to say in your defense! That is a lot better than simply having your head in the sand.
In November 2018, the state of Ohio passed legislation that included a “safe harbor” against cyber liability for covered businesses that have adopted one of fourteen (14) recognized cyber-security process frameworks. In layman’s terms, if a business can show that they followed one of the approved “frameworks,” the business can avoid liability after the bad guys steal the data. The NIST Cyber Security Framework is one of the recognized industry frameworks. More states are likely to follow Ohio’s lead.
There is plenty of information available to help businesses develop a legally defensible process for handling cyber threats. Buckle down, adopt a process, get some help and put your business in a more defensible position vis-à-vis an unfortunate cyber incident.
If you have any questions or would like more information, please contact John Goselin at jgoselin@fmglaw.com.