Reasonable Security Best Practices Learning From Notable Data Breaches | Skillsoft’s Global Knowledge Skip to main Content
White Paper

“Reasonable Security” Best Practices: Learning From Notable Data Breaches

Global Knowledge
  • Date: 28 November, 2016

Abstract

It seems every week another major data breach occurs only to be quickly followed by a class-action lawsuit. In reviewing any of these suits, one can easily see that the major complaint from the plaintiffs is that the breached company failed to implement "reasonable security." Therefore, it would seem logical that if the breached companies could show they had implemented "reasonable security," then the lawsuits could be avoided or easily defended. Unfortunately, no definition or standard for "reasonable security" exists.

Sample

If you suffer a breach, what are the ramifications: potential class-action lawsuit and/or an investigation and fines by a regulatory agency? At this point, most, if not all, companies should assume they cannot prevent a breach and, in fact, should assume a breach is inevitable. While speaking at the RSA conference in San Francisco in 2012, FBI Director Robert Mueller stated, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” Despite the inevitable breach, is it possible to avoid lawsuits by disgruntled customers or investigations by regulatory agencies? Maybe. Can you successfully defend against them? Most likely!

The common factor in most data breach class-action lawsuits and investigations by regulatory agencies is the allegation that the breached company failed to implement reasonable security or protections to prevent the breach. It logically follows that if you implement reasonable security and protections, you should be able to confidently defend your security practices and actions.

If you haven’t thought about what constitutes reasonable security lately, or possibly ever, the time to do so is right now. Most of us have become numb to the weekly news reports of another data breach and the report of a class-action suit being filed shortly thereafter. In fact, less than 24 hours after the Anthem breach was publicly acknowledged, a lawsuit was filed. Sadly, these reports are only a small percentage of the actual number of breaches. Realistically, the number is closer to two or more a day. According to the Identity Theft Resource Center (ITRC) Data Breach Reports, once a company is outed as having been breached, the potential for damage to the company’s reputation and the threat of a lawsuit hangs in the air.

These are not the only threats plaguing breached companies. Many companies have also found themselves suddenly being investigated and possibly fined by regulatory agencies such as the Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), Health and Human Services (HHS) or a State Attorney General.

Since most of the data breach class-action suits and regulatory investigations claim breached companies did not implement reasonable security or protections, it is logical to assume that reasonable security is the antidote to getting sued or fined. This article will look at some of the claims and allegations made in the lawsuits and agency findings as well as the requirements or guidance provided by regulatory agencies and states in order to develop a clear definition and standard for reasonable security. Here is the spoiler alert: there is no clear definition for reasonable security or any standard one could point to that will prevent a breach or allow a breached company to completely avoid all lawsuits or regulatory investigations.

Class-Action Compliance Failures

I researched a sampling of companies such as Target, Home Depot, Anthem, Experian, Trump Hotels, and Wendy’s. The companies in the 13 class-action suits had not implemented basic security or even some form of best practices. According to the allegations, here are some of the areas they failed in security:

• Use of encryption

• Destroy sensitive information

• Use good passwords

• Use a firewall or improperly configured the firewall

• Use or failed to properly update anti-virus

• Implement good vendor security

• Segment networks separating sensitive information from common or public networks

• Implement adequate intrusion detection systems

• Notify customers in a timely manner

• Outdated software/hardware

• Unsecure environment to accept, process, or store credit card information

Download here

Browse Related Topics:

Related Articles
26 Feb 2019 Article

Many cyber security efforts are aimed at securing data, apps, web sites etc... But is your code also designed with security in mind? Is cyber security...Read More

28 Jul 2020 Article

Facebook, Instagram and Github - we use all sorts of social networks and share our personal data without giving it a second thought. Which information...Read More

27 Jul 2020 Article

Why are social engineers good at what they do? They take advantage of the bugs in your brain. Read in the new blog by Business Development Manager Inn...Read More

We Care About Your Privacy

We are using cookies to give you the best experience on our site. Cookies are files stored in your browser and are used by most websites to help personalise your web experience. By continuing to use our website without changing the settings, you are agreeing to our use of cookies.

Please only use paragraphs and links in this rich text field. A link to page with cookie info

About your Privacy

We process your data for purposes such as delivering content or advertisements and measuring the delivery of such content or advertisements to extract insights about our website. We may share this information with our partners. Cookies set by Global Knowledge are labelled “first party”; you may exercise your preferences in relation to first party cookies by toggling the switch for each first party cookie category below. The remaining cookies are third party cookies; you may exercise your preferences in relation to each purpose by toggling the relevant switch below or by vendor by clicking “List of IAB Vendors.” These choices will be signaled globally to other websites participating in the Transparency and Consent Framework.
Privacy Statement

Necessary Cookies

These are cookies that are required for the Global Knowledge website to function and cannot be switched off in our systems. They include, for example, cookies that enable you to use a shopping cart or log into the booking area of our website.

Analytics Cookies

Analytics cookies are an optional but important part of our website's functionality. They help us to understand how you interact with our site by collecting and reporting information anonymously. The data collected by analytics cookies is used to improve the website's performance and enhance the user experience. It is important to note that these cookies do not collect any personal information that can be used to identify you.

Preferences Cookies

These are optional and you can turn them off and on. Please only use 2 to 3 lines of text here and if needed link to a page with more cookie info in Intro.

Performance Cookies

These cookies allow us to recognise and count the number of visitors to our website, traffic sources and to see how website visitors move around the website when they are using it. This helps us to improve the way the website works and improve your website experience. All information these cookies collect is aggregated and therefore anonymous.

Cookie Control toggle icon