12 October 2022
‘Reasonable security’ is a subjective term that has to be understood objectively, striking the right balance between security and privacy to ensure the rights of individuals. Without clear guidance, you may be uncertain what reasonable security looks like. And uncertainty is unsettling. Most regulatory bodies have also struggled to define exactly what reasonable security means.
Reasonable security should not just be interpreted as ‘minimum security’ – the objective is to protect individuals’ personal data that you are responsible for. Failing to provide reasonable data protection opens an organisation to potential findings of negligence in the case of a data breach. Beyond the potential monetary impact of fines and plaintiff awards, the independent judgment of a court or regulatory body that an organisation failed to provide reasonable security could cause existing and potential customers to take their business elsewhere. Irrespective of the above, you still failed to protect your customers’/employees’ data from a breach.
The security principle
If it’s any consolation, as you’re grappling with what reasonableness means, it appears that the EU which spent years drafting and finally publishing the GDPR, was probably not 100% sure either in specifying how far to go with security.
For example, Article 32 of the GDPR states:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, …
Despite the vagaries of this statement, the recital tries to help us understand what to do:
… including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
An appropriate level of security
None of the tips provided are straightforward and it’s not 100% clear how to execute them in most organisational environments. The GDPR article goes on to explain further:
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
The word ‘appropriate’ is used judiciously four times, suggesting that it is up to a DPO (data protection officer), or equivalent, to figure out what it might mean in any particular context.
OK, you say, then it’s up to me and my security experts to make the hard, grown-up decisions and negotiate with the CIO/CISO and other executives who may themselves have competing priorities.
The crunch comes when there is a data breach.
Even if you satisfy a court that you met the legal requirements on the grounds of reasonable security, the loss of your customers’ data would have a severely detrimental impact on your business’s reputation and the consumer-perceived safety of associating with your much treasured and protected brand. By understanding the bigger set of problems you’re trying to solve, you’ll get a decent measure of what is and what isn’t important.
Where to begin
Malware, phishing attacks and human error cause most data breaches. So, it clearly makes sense to encrypt and redact all personal data to limit the exposure of sensitive data in applications. However, the procedures required are often inconvenient, cumbersome, and difficult to implement, particularly email encryption in a busy work environment where response speed and agility are demanded or simply part of company culture. At the very least, you should have an active enforceable password management program that ensures that passwords are changed frequently and are strength-based, and that separate passwords are used for different systems. Imposing lockouts after a set number of unsuccessful login attempts or notifying users of suspicious activity may not be popular, but frankly it is necessary. Leaving no stone unturned requires ensuring the security of the application, database and operating system layers, endpoints and mobile devices, hypervisors and micro services, remote, local and wide area networks as well as data centres systems and backups.
The stakes are high
In July 2015, the Ashley Madison website experienced a data breach by a group of hacktivists (the Impact Team) that exposed the profile information of 36 million users. Ashley Madison charged customers that no longer wanted to be associated with the site $35 per person to delete their profile information. Rather than deleting these profiles, Ashley Madison moved the profile data from their active site into an unsecured database that was easy to exploit.
The Impact Team claimed to have stolen more than 300 GB of data and leaked millions of Ashley Madison’s users’ email addresses and damaging emails from the CEO’s account.
The FTC’s (the US Federal Trade Commission) complaint stated that, despite claims that the website was “100% secure,” “risk-free,” and “completely anonymous,” the company “engaged in several practices that, taken together, failed to provide reasonable security to prevent unauthorised access to personal information on their network.” Concluding that “in truth and in fact … [the company] did not take reasonable steps to ensure that AshleyMadison.com was secure.”
The past, present and future
In addition, the growth in the number of intelligent and Internet-connected devices together with the emergence of 5G are introducing new data-driven and increasingly autonomous scenarios. For enterprises, that includes surveillance cameras as well as personal objects and devices that hackers could attack to gain further access into your network, systems and other vital resources. If that were not enough, we’re not yet done with physical data assets – such as paper files – which are equally susceptible to attack and tampering which could lead to mischief and data leaks. Any hard copy sitting in an open room is a potential liability.
The future of reasonable security
The speed at which we are collecting data and evolving technology in combination with the exploitation of our supply chain makes “reasonable security” a moving target precariously positioned on a slippery slope. Reasonable security practices will depend on the circumstances and whether a business’s decisions were sound in hindsight.
Documentation of a reasoned decision will give evidence that shows whether a business considered the risk and options and, for legitimate business reasons, may not have implemented a more robust solution.
The law is like a slow-moving tortoise, and the technology and adversaries are the hares. Laws are hesitant to clearly define what it means to act reasonably because
(1) the legislators are not cybersecurity experts, and
(2) by the time the law is published, the technology has changed so dramatically the law is outdated.
Risk management is at the heart of organisational governance and is the cornerstone of security program development. Organisations confront infinite risk with finite resources, but not all risks are material, nor do all risks have a high probability of occurring. Reasonable security should anticipate which risks an organisation will likely confront and document its risk treatment strategy. Risks can be mitigated, insured against (transferred), accepted, avoided or a combination of these strategies, but risks should never be ignored.
There is no one-size-fits-all definition of reasonable security. All companies that hold personal data in trust should implement reasonable data protections to secure that data.
‘Reasonable’ is what the courts decide it is, depending on the facts at hand for the case before them. Regardless of precedent or regulator-defined, reasonable security is ultimately what your customer, partners and employees expect. An organisation’s privacy leader’s role is to work with a security leader to determine the right approach and work with them to uncover deficiencies and advocate for improvements where needed.
David Goodman, Trust in Digital Life