How much security is enough and, is the answer the same in a courtroom?

One of the recurring questions in information security management is how much security is “enough”? For organizations that have adopted risk-based approaches to information assurance, the level of security protection they put in place is directly correlated to the value of the assets the measures are intended to protect, and to the anticipated impact (loss) to the organization if those assets are compromised. That’s all well and good from a management perspective, but the right risk-based answer may not be the right legal answer  in the sort of highly publicized data breaches, cyber attacks, and other security events that lead to losses not just by the organizations that suffer these incidents, but also by their customers, partners, or other stakeholders. If an organization suffers a breach that puts its customers at risk, what does the organization have to do to try demonstrate it has appropriate security measures in place, and therefore to minimize exposure to tort liability?

One answer to this question lies in the legal principle of due care (sometimes referred to as “reasonable care”), which is the effort a reasonable party would take to prevent harm, and which is a core tenet of tort law. The classic legal precedent for the standard of due care is the U.S. Appellate Court ruling from 1932 in the T.J. Hooper case, which held the Eastern Transportation Company liable for the loss of cargo being transported on a barge towed by the Hooper (a tugboat), because the crew of the Hooper failed to use a radio receiver that would have allowed them to hear locally broadcasted weather reports that warned of unfavorable condition. The court ruled that the loss “was a direct consequence” of the failure to use available safety technology, even thought at the time the use of such radios was far from pervasive. Bringing this precedent forward to the modern computing age, the standard of due care means that if an organization suffers a loss, and the means are available to have prevented the loss, the organization can be held liable for the loss due to its failure to use the available protective measures.

So what’s clear from a legal perspective is that organizations have to make appropriate efforts to secure their assets from harm. But once again, how much is sufficient to meet the standard of due care? We have no conclusive answer to this question, but were very pleased to see a discussion of “legal defensibility doctrine” from Ben Tomhave, which nicely integrates the related ideas of legal defensibility, reasonableness of security efforts, and practical acceptance of the inevitability of security incident occurrence. It also picks up on a theme expressed by others  that conventional risk management (at least as commonly practiced) may be insufficient to arrive at appropriate levels of security and therefore leave the organizations more legally vulnerable than they would like to be.