Defining 'Reasonable' Cybersecurity: Lessons from the States
51 Pages Posted: 10 Sep 2021 Last revised: 25 Feb 2022
Date Written: September 7, 2021
Abstract
Questions over what constitutes ‘reasonable’ cybersecurity reporting and operating practices have long vexed businesses, and policymakers. Given a lack of clear guidance from Congress, states have filled the vacuum by passing a series of laws requiring “reasonable” cybersecurity such as for manufacturers of Internet-connected devices. Other states have elected instead to provide safe harbors, like Ohio, which rewards companies for investing in a pre-determined list of recognized cybersecurity standards and frameworks – such as the National Institute for Standards and Technology (NIST) Cybersecurity Framework – by minimizing liability in the aftermath of a data breach. This Article: (1) summarizes the current state of state-level cybersecurity policymaking with a special emphasis on how states are defining “reasonable” cybersecurity; (2) discloses the results of a statewide survey on cybersecurity perceptions and practices among organizations in Indiana done in partnership with the Indiana Attorney General’s Office; and (3) makes a series of suggestions based on these findings about how to better educate and incentivize firms about instituting reasonable cybersecurity best practices.
Keywords: cybersecurity, safe harbor
Suggested Citation: Suggested Citation