Navigating the ambiguous requirement of ‘Reasonable Security’ measures while protecting personal information.
Over the last couple of years, cybersecurity laws have commonly required that sensitive information be protected through the use of “reasonable security.” Business owners have likely heard that they are required to protect sensitive information, but may not understand how to specifically go about this. The term “reasonable security” often has been left ambiguous and guidance as to what is required for your specific business might be hard to find.
As a starting point, it is important to understand that what constitutes appropriate security safeguards may depend upon the type of information that you collect and the type of business that you operate. For example, if you are a medical professional, or holding information for a medical professional, you may be subject to the HIPAA Security Rule (HIPAA) (which lists specific safeguards for the protection of electronic health information), and if you are a financial institution, or holding information for a financial institution, you may need to comply with the Gramm-Leach-Bliley Act (GLBA) (which identifies specific requirements and safeguards for the protection of customer information).
Administrative guidance elaborates on each of these laws by laying out certain cybersecurity safeguards that should be put in place, including but not limited to: access controls, monitoring solutions, and disaster recovery procedures. Further, under both HIPAA and GLBA, if any of the regulated entity’s vendors receive protected information from that regulated entity, then the regulated entity is required to contractually bind that vendor in writing to treat the protected information in the same manner as the regulated entity.
In addition to laws and regulations that require entities to implement appropriate safeguards, attorneys’ ethical requirements provide guidance on determining what constitutes reasonable security and read in the requirements to implement specific cybersecurity safeguards. Even if, however, you are not subject to the laws and regulations referenced above, if you collect private information from a New York state resident, you are still required to implement reasonable security. As of March 21, 2020, the New York “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act) specifically requires that any person or business that collects private information of a New York resident must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information, including but not limited to, disposal of the data.
Private information includes:
1.) Social Security numbers;
2.) driver’s license numbers or non-driver identification card numbers;
3.) account numbers, credit or debit card numbers, if those numbers would permit access to an individual’s financial account;
4.) biometric information; or
5.) a user name or email address in combination with information that would permit access to an online account.
The SHIELD Act enumerates several administrative, technical and physical safeguards that larger businesses must develop, implement and maintain. These safeguards include, but are not limited, to: identifying reasonably foreseeable internal and external risks; assessing risks in network and software design, information processing, transmission, storage and disposal; and detecting, preventing and responding to attacks, system failures and intrusions. For small businesses, the Act simply provides that “the small business’ security program [should contain] reasonable administrative, technical, and physical safeguards that are appropriate for the size and complexity of the small business’ activities, and the sensitivity of the personal information the small business collects from or about consumers.” A small business is any person or business with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three fiscal years, or less than five million dollars in year-end total assets.
Despite all of these legal requirements and safeguards, what constitutes “reasonable security” remains ambiguous to this day. As previously noted, most laws currently provide that the safeguards implemented by a business should be reasonable and appropriate, given the size of the business and the information they collect. Agencies such as the Federal Trade Commission (FTC) have recognized that there is no such thing as perfect security, but that security is a continuing process that requires the business to detect risks and adjust their safeguards accordingly.
While these sources do not provide a ceiling for the safeguards that a business should have in place, they appear to have at least begun the creation of a floor. For years, the FTC has been the primary enforcer of cybersecurity regulations. The FTC has brought numerous actions for deceptive or unfair business practices under the FTC Act for businesses that claimed—but failed—to have reasonable security in place.
Consequently, as best practices, businesses seeking to come into compliance are well-advised to draw knowledge from the publications of their regulators and to also consult the FTC’s published guidance on what their type of business is required to implement. Many of these FTC guidelines go into greater detail of the types of safeguards businesses should implement, including: FTC’s guidelines for small businesses and the FTC’s explanatory material on the Cybersecurity Framework published by the National Institute of Standards and Technology (NIST) (a voluntary framework that includes standards, guidelines and best practices to manage cybersecurity risk).
Bear in mind that if you collect information from individuals located in other states, you will also have to evaluate the laws of those states, which may be stricter than the laws of the state in which your company has its principal place of business. For example, unlike the SHIELD Act, the California Consumer Privacy Act of 2018 (CCPA) provides a private right of action to California residents whose personal information was subject to “an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” This private right allows a successful plaintiff to recover damages in the amount of “not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.” To put this in context by way of example, if a compromised database has information on a mere 10,000 people, a business could be subject to damages of $1,000,000 to $7,500,000. In contrast, New York’s SHIELD Act imposes civil penalties of not more than $5,000 for failing to implement reasonable security and, under New York’s Breach Notification law, potential penalties are the greater of $5,000 or up to $20 per instance for failing to notify affected consumers of a data breach, not to exceed $250,000.
As most businesses collect and maintain sensitive personal information about their customers, the key takeaway is to first assess the type of business that you operate and the types of personal information that you collect. From that starting point, develop, implement and maintain a sound security plan to collect only the information that you need, to keep that information safe, and to dispose of it securely. This will form the foundation to help your business meet its legal obligations to protect that sensitive data.
Reprinted with permission from the May 6, 2020 edition of the New York Law Journal © 2022 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-257-3382 or reprints@alm.com.
Stephen Breidenbach, Assistant General Counsel – Technology
Moritt Hock & Hamroff, LLP
(516) 873-2000
sbreidenbach@moritthock.com