One of the most bedeviling aspects of data privacy and security law concerns the concept of “reasonable” data security, which has become the default statutory and common law standard. The FTC began articulating a reasonableness standard in the early aughts, when the Commission first began scrutinizing companies’ data security practices. Companies for years quietly grumbled about the vagueness of this standard, which isn’t defined in any regulations or federal statutes. Critics obtained a recent victory when the Eleventh Circuit, in LabMD v. FTC, struck down an FTC judgment on grounds that the relief sought by the FTC against LabMD– implementation of reasonable data security practices — was too vague to be enforceable.
Meanwhile, some 18 states have passed laws requiring businesses to implement reasonable data security practices. Very recently, California passed a new privacy law, the California Consumer Privacy Act (CCPA), which provides consumers with a private cause of action for the unauthorized access to and exfiltration, theft or disclosure of personal information in violation of a business’ duty to provide “reasonable data security procedures and practices.” Consumers can initiate individual or class action claims seeking statutory damages of $100-$750 per consumer per violation.
The GDPR, which has extra-territorial application and a draconian penalty structure, has a very similar standard, requiring data controllers and processors to implement “appropriate” technical, physical and administrative controls to protect personal information.
The principle that companies must provide for reasonable data security is also the basis for many data breach class actions. Common law theories of liability, such as negligence, typically assert that businesses have a duty to provide consumers with reasonable data security.
The concept of “reasonableness” itself is a notoriously vague standard that often turns on whims of the fact-finder for highly case-specific reasons, making it difficult for a business to draw clear lines. To complicate matters further, what constitutes reasonable data security may shift depending on the nature of the data held by the business, the industry, and the scope of threats. Reasonable for a Fortune 100 technology company may not the same as for a small or medium sized company. Of course, in the mind of many legislators and regulators, opting for a flexible standard like reasonableness may be preferable to imposing strict granular requirements that may be unduly burdensome to small businesses. Under this school of thought, the definition of “reasonableness” will be fleshed out by future courts and through regulatory enforcement actions.
But this hasn’t happened. To date, none of the data breach class actions that have proceeded past the summary judgment phase has litigated to judgment the issue of reasonableness. With the exception of cybersecurity regulations issued by the New York Department of Financial Services, none of the states that have passed data security laws has explicitly stated what reasonableness means or set forth a comprehensive list of processes/policies that a company should have in place. The Eleventh Circuit, as noted, has ruled that the FTC standard of reasonableness is too vague to be enforceable as a civil penalty, but neither Congress nor the FTC has offered any more granular guidance on the meaning of reasonableness. The GDPR does not define “appropriate” or provide guidance as to its practical application. In short, there is a significant hole in the center of data security law that desperately requires definition, particularly as the possibility of substantial statutory damages and civil penalties for failing to maintain reasonable data security becomes a reality for US businesses.
In an upcoming series of blog posts, we’re going to more closely examine the concept of reasonable data security and offer our thoughts on what policies and practices businesses ought to adopt to meet this elusive and slippery standard.