Defining 'Reasonable' Cybersecurity: Lessons from the States

51 Pages Posted: 10 Sep 2021 Last revised: 25 Feb 2022

See all articles by Scott Shackelford

Scott Shackelford

Indiana University - Kelley School of Business - Department of Business Law; Harvard Kennedy School Belfer Center for Science & International Affairs; Center for Applied Cybersecurity Research; Stanford Center for Internet and Society; Stanford Law School

Anne Boustead

University of Arizona - School of Government and Public Policy

Christos Makridis

Stanford University; Institute for the Future (IFF), Department of Digital Innovation, School of Business, University of Nicosia; Arizona State University (ASU); Department of Veterans Affairs (VA)

Date Written: September 7, 2021

Abstract

Questions over what constitutes ‘reasonable’ cybersecurity reporting and operating practices have long vexed businesses, and policymakers. Given a lack of clear guidance from Congress, states have filled the vacuum by passing a series of laws requiring “reasonable” cybersecurity such as for manufacturers of Internet-connected devices. Other states have elected instead to provide safe harbors, like Ohio, which rewards companies for investing in a pre-determined list of recognized cybersecurity standards and frameworks – such as the National Institute for Standards and Technology (NIST) Cybersecurity Framework – by minimizing liability in the aftermath of a data breach. This Article: (1) summarizes the current state of state-level cybersecurity policymaking with a special emphasis on how states are defining “reasonable” cybersecurity; (2) discloses the results of a statewide survey on cybersecurity perceptions and practices among organizations in Indiana done in partnership with the Indiana Attorney General’s Office; and (3) makes a series of suggestions based on these findings about how to better educate and incentivize firms about instituting reasonable cybersecurity best practices.

Keywords: cybersecurity, safe harbor

Suggested Citation

Shackelford, Scott J. and Boustead, Anne and Makridis, Christos, Defining 'Reasonable' Cybersecurity: Lessons from the States (September 7, 2021). Available at SSRN: https://ssrn.com/abstract=3919275 or http://dx.doi.org/10.2139/ssrn.3919275

Scott J. Shackelford (Contact Author)

Indiana University - Kelley School of Business - Department of Business Law ( email )

Bloomington, IN 47405
United States

Harvard Kennedy School Belfer Center for Science & International Affairs ( email )

79 JFK Street
Cambridge, MA 02138
United States

Center for Applied Cybersecurity Research ( email )

Wylie Hall 105
100 South Woodlawn
Bloomington, IN 47405
United States

Stanford Center for Internet and Society ( email )

Palo Alto, CA
United States

Stanford Law School ( email )

Stanford, CA 94305
United States

Anne Boustead

University of Arizona - School of Government and Public Policy ( email )

315 Social Science Building
Tucson, AZ 85721
United States

Christos Makridis

Stanford University ( email )

Stanford, CA 94305
United States

Institute for the Future (IFF), Department of Digital Innovation, School of Business, University of Nicosia ( email )

Nicosia, 2417
Cyprus

Arizona State University (ASU) ( email )

Farmer Building 440G PO Box 872011
Tempe, AZ 85287
United States

Department of Veterans Affairs (VA) ( email )

810 Vermont Avenue NW
Washington, DC 20420
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
387
Abstract Views
1,411
Rank
140,279
PlumX Metrics