Defining 'Reasonable' Cybersecurity: Lessons from the States.

• Author: Shackelford, Scott J.

TABLE OF CONTENTS I. Introduction II. Introducing the Multifaceted Cyber Threat A. Dimensions B. Case for a Cybersecurity Market Failure C. Absence of Federal Guidance D. How "Reasonable" is Defined III. Summary of State-Level Cybersecurity Laws A. California B. Ripple Effects C. Nevada D. Oregon E. Ohio F. Illinois G. Indiana H. Massachusetts I. New York J. Relevant Federal & State Court Decisions K. Summary IV. Empirical Results A. Methodology and Limitations B. Perceptions and Experience with Cyber Incidents C. General Prevention and Mitigation Practices D. Use of Proactive Tools and Externally-Developed Frameworks E. Use of Cyber Risk Insurance V. Policy Implications A. Summary and Overview of Results B. Implications for Defining Reasonability C. Implications for Designing Interventions to Improve General Cybersecurity Due Diligence VI. Conclusion I. INTRODUCTION

The expansion of the digital economy has brought sustained increases in productivity, but also new risks and vulnerabilities. (1) However, what constitutes "reasonable" cybersecurity has long vexed both businesses and policymakers. After all, even some of the most sophisticated operators have fallen victim to cyber attacks. Consider the December 2020 breach of the leading cybersecurity firm FireEye, which serves a who's who list of clients around the world and was allegedly breached by Russia's Cozy Bear group. (2) Although the red team attack tools released in the breach were worrisome enough, the full extent of the damage only emerged in the following weeks when it became public that the attackers had gained access through the vendor SolarWinds, which, like FireEye, also had government contracts. The SolarWinds breach ultimately led to revelations of widespread breaches at nine U.S. government agencies and more than 100 firms. (3) The episode underscored the main lesson that any organization can be breached--regardless of the cutting-edge array of cybersecurity best practices that they have deployed or how much they spend--due to vulnerabilities in supply chains that the SolarWinds campaign laid bare. (4) Yet, although cyber risk can never be eliminated, it can be better managed through incentivizing--and even requiring--technical and organizational cybersecurity best practices. (5) There are diverging opinions and approaches, though, across jurisdictions about the best way to balance both rules and standards to enhance overall cybersecurity due diligence.

Given a lack of clear guidance from Congress as to what constitutes "reasonable" cybersecurity outside of certain critical infrastructure contexts such as healthcare and finance, (6) some states have filled the vacuum by passing a series of laws encouraging and requiring companies operating within their jurisdictions to instill reasonable cybersecurity practices such as California's 2020 mandate for manufacturers of Internet-connected devices. (7) Other states, including Ohio, have elected instead to provide safe harbors which reward companies for investing in a pre-determined list of recognized cybersecurity standards and frameworks--such as the National Institute for Standards and Technology Cybersecurity Framework (NIST CSF)--by minimizing liability in the aftermath of a data breach. (8) There are benefits and drawbacks about both approaches, along with others including disclosure and even proposed strict liability regimes, that deserve deep analysis as a growing slate of states consider new regulations in this space. (9)

Yet, the literature to date has underappreciated this issue. (10) As such, we argue that--as new state and federal laws are considered--the time is appropriate to see what we can learn from these varied efforts at defining and enforcing "reasonable" cybersecurity to inform policymakers and practitioners alike. Our findings point to the need for an empirically grounded, flexible approach to the problem that combines a minimum (i.e., "common floor") set of standards comprised of widely recognized cybersecurity best practices with sector-specific guidance and an effort to inform consumers of their rights and importance of exercising them.

This Article is structured as follows. Part 1 introduces the multifaceted array of cyber threats facing organizations, and the resulting market failure in cybersecurity that has emerged in the absence of comprehensive federal guidance. Part 2 then summarizes the current status of state-level cybersecurity policymaking with a special emphasis on how states are defining "reasonable" cybersecurity. Part 3 discloses the results of a statewide survey on cybersecurity perceptions and practices organizations in Indiana are interpreting "reasonable" cybersecurity, which was done in partnership with the Indiana Attorney General's Office, the Indiana Business Research Center, and the Indiana Executive Council of Cybersecurity. Finally, Part 4 summarizes the preceding analysis and offers a series of policy suggestions based on these findings about how to better educate and incentivize firms to institute reasonable cybersecurity best practices, and in so doing better protect their networks, intellectual property, employees, customers, and national security.

2. INTRODUCING THE MULTIFACETED CYBER THREAT

   Cybersecurity has been elevated as a national security threat and source of geopolitical risk over the past two decades. (11) For example, the incidence of data breaches has been growing over time, more than tripling from 2005 to 2018 (12) and costing between $57 billion and $109 billion per year, according to some of the more conservative estimates. (13) Some, however, suggest that the economic and social costs of the various types of cybercrime could be in the trillions, (14) while the global cybersecurity market is projected to grow to more than $340 billion by 2027. (15) Moreover, the threat vectors are heterogeneous, consisting of not only idiosyncratic malicious actors, (16) but also nation states. (17) As the digital economy continues to expand, these risks will continue to grow and require a proper identification of them to develop the right countervailing responses. This task, needless to say, is a tall order, particularly for small and medium sized businesses that are often bearing the brunt of cyber incidents, as is discussed further in Part 4. (18)

   1. Dimensions

      There are multiple dimensions of cybersecurity risk that influence how to think about "reasonable" cybersecurity measures. First, economic considerations. Malicious attacks cost the economy billions each year, arising from the direct cost on firm reputation or physical equipment and the indirect effects of allocating a portion of their budget towards information security that tends to have no consumer benefit apart from protecting data. (19) That is, information security investments do nothing to deliver greater consumer value by themselves; rather, they simply mitigate the probability of future harm against the organization. (20)

      One of the ways that organizations are exposed to cyber risk and incur economic costs is through their supply chains. Even when an organization insulates itself against risk, a breach to a vendor that has access to their network can create a ripple effect. (21) Recent empirical work suggests that accounting for these supply chain linkages makes the professional services sector the highest risk with the most vulnerabilities, which is intuitive since nearly every other sector depends on professional services, whether for software services or consulting. (22) These inter-sectoral linkages exacerbate the underinvestment in cybersecurity since no single organization fully internalizes the aggregate costs of these attacks. (23) Moreover, as we will discuss later, the varying degrees of inter-sectoral linkages is one reason that we suggest a combination of a common floor of best practices coupled with additional sector-specific guidance.

      Second, social considerations. While there are admittedly technological vulnerabilities and issues at play, there is also a dimension of consumer psychology that is present in cybersecurity. (24) For example, a consumer that clicks on a phishing email and opens their computer up to malware makes an incorrect judgment call that, as recent breaches make clear, is difficult to insulate from impacting the wider organization and ecosystem. (25) Recent empirical research finds that most consumers are inattentive to these threats: countries with greater cyber vulnerabilities do not seem to have consumers that are more worried or concerned about the potential for internet fraud, for example. (26)

      One reason behind many of these vulnerabilities and the lack of an intentional market response stems from the lack of salience behind the attacks. Although some of the largest data breaches are associated with declines in the organization's brand and reputation, the average-sized data breach is associated with an increase in brand power driven by an increase in favorability towards the brand. (27) However, data breaches among firms in consumer-centered sectors are associated with declines in brand trust. (28) These patterns suggest that average-sized malicious attacks against organizations may simply raise the profile of the company in consumers' minds unless consumers interact with them frequently. (29)

      Third, geopolitical considerations. Cybersecurity attracts not only idiosyncratic criminals, but also nation states. For example, the WannaCry ransomware attack that took place in May 2017 spread through Microsoft Windows and held users' files hostage, demanding a Bitcoin ransom in exchange for ownership back. (30) While Microsoft had released a patch to their system that protected users against the system exploit, many consumers and organizations do not regularly update their operating system, leaving their systems exposed. In the end, the ransomware attack affected roughly 230,000 computers globally, costing an estimated $4 billion...