The Importance Of Having Reasonable Security
Whether on the state, federal, or international level, laws are increasingly mandating data security that meets “a standard of reasonableness.” What constitutes reasonable security measures relies on the specific business sector and data under inventory. For example, a healthcare provider with sensitive health information on many patients must have a robust data security program. Security includes a variety of physical as well as technological safeguards.
Below are some examples of the requirement for the reasonableness standard in the newer laws to enter the privacy landscape.
New York’s Stop Hacks And Improve Electronic Data Security (SHIELD) Act
Under the Act, businesses who collect the private information of New York residents must: “develop, implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information.”
The New York Attorney General (AG) has been enforcing the need for reasonable security. For example, in Jun 2022, the AG reached a settlement of $400,000 with Wegmans Food Markets, Inc. (Wegmans) for violations following a data breach inclusive of more than three million individuals nationwide and more than 830,000 New Yorkers. The AG noted that Wegmans stored personal information in “open cloud storage,” which facilitated unauthorized access to the information by third parties such as email addresses, account passwords, names, addresses, and additional data derived from drivers’ license numbers. Specifically, the AG found that Wegmans had failed to ensure the following:
- configure proper access controls;
- establish appropriate password policies;
- conduct security assessments of the cloud databases;
- maintain long-term logging of its IT assets; and
- implement data retention practices.
As a result of the enforcement action, Wegman’s agreed to a settlement of $400,000, and must, among other things, ensure the following:
- maintain a comprehensive information security program that is regularly updated;
- maintain an inventory of all cloud assets;
- establish policies and procedures to ensure all cloud assets containing personal information have appropriate access controls;
- develop an annual penetration testing program;
- implement centralized logging and monitoring of cloud asset activity;
- establish appropriate password policies and procedures for customer accounts;
- maintain a reasonable vulnerability disclosure program;
- establish appropriate practices for customer account management and authentication; and
- update its data collection and retention practices so that it collects customers’ personal information only when there is a reasonable business purpose for collection and deletes it when there is no longer a reasonable business purpose to retain it.
The California Consumer Privacy Act (CCPA)
Private actions, though limited by certain exceptions, may seek statutory or actual damages as well as injunctive relief under the CCPA. Several conditions need to be met to commence a private action. Most notable of these is the requirement that consumers’ sensitive personal information be subject to unauthorized access and exfiltration, theft, or disclosure as a result of a failure to maintain reasonable security procedures.
The Federal Trade Commission (FTC)
In November 2019, the FTC imposed a first-of-its-kind settlement surrounding data security that was asserted solely upon the failure to maintain reasonable security measures. Historically, the FTC equated a fault relating to data security as an FTC Act violation based on the following rationale: Respondent’s deficient data security practices were not in compliance with the respondent’s stated policies. Therefore, it was an unfair or deceptive act.1 In contrast, in this settlement, without violation of overt promises, respondent’s lack of reasonable data security was ipso facto an unfair or deceptive act and hence a violation of the FTC Act.
The agreement notes the security failures, which included:
- inventory and delete personal information it no longer needed;
- conduct code review of its software and testing of its network;
- detect malicious file uploads;
- adequately segment its network;
- implement cybersecurity safeguards to detect unusual activity on its network; and
- stored consumers’ personal information—such as Social Security numbers, payment card information, bank account information, and user names and passwords—in clear, readable text on its network.
The settlement also outlined a variety of data security measures that the FTC expects from those storing personal data in order to meet the reasonableness standard. The specific steps add clarity and may stem from an earlier ruling coming out of the Eleventh Circuit. In that case, an order was imposed that required LabMD to implement “a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about the consumer.” However, on appeal, the Eleventh Circuit held that the order was unenforceable because it failed to provide any “meaningful standard” for determining “what constitutes a ‘reasonably designed’ data security program.” With this latest settlement, the FTC goes to great lengths to describe specific measures, which seems to be a nod toward avoiding vagueness.
UPDATE JANUARY 2020: The FTC just posted “New and improved FTC data security orders: Better guidance for companies, better protection for consumers.” The memo further addresses issues revolving around vagueness raised in the LabMD case and confirms the FTC’s intention to provide more concrete requirements in orders.
Data security and meeting the reasonableness standard is a moving target. As new threats emerge, existing security measures need to be reevaluated and updated if necessary. Therefore, it should be imperative to maintain the best practices that are in line with your sector and risk profile.