A new post on the Halock Security website (https://www.halock.com/new-approaches-to-data-privacy-and-reasonable-security) discusses how instead of a punitive approach to cyber security compliance some states have chosen a different route.
States such as Connecticut have safe harbor laws that protect companies from punitive damages if they have reasonable security controls at the time of a data breach. Recognized security frameworks include laws such as Gramm-Leach-Bliley and HIPAA, as well as government or industry cyber standards. Companies must adopt revisions to standards within six months of publication. Failure to implement reasonable controls, gross negligence or wanton misconduct will void safe harbor protection.
What is "reasonable" security? There are standards to determine a balance between needed security and burdensome cost. There is a Duty of Care Risk Analysis Standard (DoCRA) and the Sedona Conference reasonableness test. In applying data security, more controls are not better. On the contrary, companies that use multiple security vendors are more likely to experience excessive downtime and have more records impacted. Security controls must interact to create blanket security.