The Key Takeaways Our Audience Highlighted:
The main point to remember when you are assessing the reasonableness of your cybersecurity measures is that you need to have an accurate knowledge of your actual security posture. You need to map your assets, controls, obligations and have an understanding of where the gaps or vulnerabilities may lie. This implies that technical testing must be conducted, such as:
What’s important is that you must be able to explain which choices you made, and why you made them.
In other words, you must be prepared to explain why are your choices reasonable in the context of your organization. And most importantly, you need to anticipate threats in order for your organization to remain within the realm of reasonable cybersecurity.
To do this internally requires a serious commitment both financially and from a staffing perspective. At a minimum, organizations often outsource periodic technical testing; and as they move along the continuum of implementing a “reasonable” cybersecurity program, they often find the cost/benefit of focusing on their business, their strengths as an organization and leaving cybersecurity to the experts is overwhelmingly positive in the long run. This is especially true for small and mid-sized businesses that are particularly vulnerable to data breach litigation and whose customers are likely to abandon the organization is any personal data is exposed in a breach.
Attendees also had interesting questions pertaining to the topic of litigation facts and trends. One of them was whether there are any differences in data breach litigation against government entities as compared to litigation against private corporations. The question is relevant, given that, traditionally, in Canada, if a governmental entity was the defendant, it was not liable in tort for the damage their employees or decisions caused to another, whether intentional or by negligence. Currently, all Canadian provinces and the federal government have rectified this anomaly by passing legislation which categorizes the public body liable in tort just as a normal person is categorized.
The short answer to this is ‘yes’.
For instance, the definition of what constitutes a ‘good’ password has evolved with the threat. There was a time where merely having a password, even if it was the name of your pet, was considered reasonable. Today, diligent businessmen use software to generate complicated passwords held in a vault by another complex master password. In cybersecurity, the notion of reasonableness evolves with the knowledge of threats. That’s why it’s always recommended to opt for industry’s best practices as opposed to aim for merely compliance, as there may be a gap in between. Practices evolve more rapidly than standards, which evolve more rapidly than legislation.
The bottom line is that organizations cannot avoid the responsibility and subsequently the coming storm of litigation and compliance that will go along with collecting and retaining their customer’s credit card numbers, social security, and other PII. In order to protect itself and its customers for that matter, organizations must establish a “reasonable” cybersecurity program or find itself in court or at the mercy of various commissions tasked with monitoring compliance and penalizing companies who don’t comply. The consensus among the experts and what I hope was communicated in our presentation is:
