Two years ago, William R. Sampson of Shook, Hardy & Bacon in Kansas City set out to help define what “reasonable” data security looks like. The basic answer: More cybersecurity is not always better.
Of course, it’s a lot more complicated than that. What’s reasonable in one industry might not be so in another. What’s reasonable for a large corporation might not be for a small business. What’s reasonable for $100 might not be for $1 million.
Sampson serves as editor-in-chief for the “Commentary on a Reasonable Security Test,” a 57-page paper released in September by the Sedona Conference, a nonprofit research and educational institute that studies law and policy in areas ranging from antitrust to intellectual property. Sampson described it as “the nation’s pre-eminent legal think tank.”
The paper is intended to provide courts, regulators, attorneys and businesses a standard for “reasonable security” practices in data privacy that is both authoritative and flexible.
“I think the Sedona Conference hopes that the ideas advanced in this Commentary will be adopted by the courts and by regulators,” Sampson said.
He got involved in the group through the efforts of Al Saikali, a Shook partner based in Miami who leads the firm’s privacy and data security practice. Saikali also has served as the chairman of Sedona’s Working Group on Data Security and Privacy Liability (also known as Working Group 11).
Sampson was asked to lead a team of judges, lawyers and IT consultants in an effort to set a legal test for reasonable data security. Although his practice concentrates on product liability, commercial class actions and business litigation, his role was to “make the trains run on time,” he said.
“I’m not a full-time or even close to full-time practitioner in the area of data security, but I certainly understand that it’s a very important developing area of the law,” he said.
The lack of consensus on what constitutes “reasonableness” has led to confusion in the law. For instance, in 2015 the 3rd U.S. Circuit Court of Appeals in Federal Trade Commission v. Wyndham Worldwide Corp ruled against a hotel chain that suffered a data breach and subsequently was sued by the federal agency. The court held that the FTC has authority to regulate cybersecurity and that the hotel had fair notice that its data security practices could constitute an “unfair” practice under federal law.
In contrast, in 2018 the 11th Circuit in LabMD v. Federal Trade Commission overturned an FTC cease-and-desist order, finding that its requirement for “reasonableness” was so vague as to violate due process.
Sampson said the Sedona Conference paper avoids instituting a one-size-fits-all standard. Instead, it depends on performing a cost-benefit analysis in specific contexts.
He gave the example of a rural health provider weighing whether to use a standard form of data security such as multifactor authentication to access medical records. Inserting that extra step might prevent someone from accessing patient information if a laptop were to be stolen. But it also might prevent a doctor from getting critical information about a patient in an area with spotty cell service.
“If you’re in a remote area with a laptop and your connection to all the medical information is that laptop and you can’t get it to turn on because you’ve forgotten that extra step of authentication, the issue quite clearly is: Is it worth having?” Sampson said.
The proposed standard also encourages businesses to weigh the monetary costs of security against the potential costs of inaction. Consider the sticker shock that a firm might have when looking at a security system that costs $1 million.
“Is there a million dollars’ worth of harm out there that my law firm might do if we don’t have this control in place? And the answer may be, ‘Yeah, there is.’ And in that case, we’ve either got to do it or face the very real consequences of down-the-road exposure and liability if we don’t do it,” he said.
The Commentary, available at thesedonaconference.org, was open for public comment until Nov. 18. Sampson said his team will review those comments, which could result in further refinements to the paper before final publication.