With the growing increase in ransomware there is an increased need for cyber security. The question arises, how much security is enough to defend against claims of negligence after an attack?
In general, there is a legal standard of reasonableness. What would a reasonable person - or organization - do? For cybersecurity in particular, there are laws and standards some more specific than others. A bulletin by law firm Locke Lord (https://www.lockelord.com/newsandevents/publications/2021/06/updating-your-reasonable-security) provides some specific references.
- The Center for Internet Security's CIS Controls is suggested by the California Attorney General's office as a minimum level of security for all organizations
- The Massachusetts Standards for protection of personal information (201 CMR 17.00) is a state requirement for all organizations that own or license personal information.
- The NAIC Insurance Data Security model law tailors information security requirements to the insurance industry. Federal law addresses privacy and security in the healthcare and financial sectors through HIPAA and Gramm-Leach-Bliley Act respectively.
- The New York Department of Financial Services Cybersecurity Regulation provides a comprehensive and flexible framework for organizations of every size and focus.
By using one of these, or researching other laws or standards applicable to a particular state or industry, organization should develop and implement their own standards to provide a reasonable level of cyber security.