Skip to main content

Author: Bryan Cunningham

How to lose your company in a data breach:

  • Step 1: Suffer a data breach (which almost all companies have or will);
  • Step 2:  Get sued by plaintiff’s lawyers waiting to pounce or, worse, an Attorney General or regulator;
  • Step 3:  Be found not to have met the applicable “standard of care;”
  • Step 4:  Pay up, and possibly lose your business.

“Standard of Care?”, you say. What’s that and why should I care? And where does NIST fit in?

“Standard of Care” is legalese for the minimum an organization must do to have acted “reasonably” in a lawsuit. In most data breach cases, if you are found not to have acted reasonably, e.g., by not employing sufficiently strong encryption, you likely will have to pay economic damages, sometimes reaching bet-the-company territory. Damages and penalties in a cyber breach case likely will reach $1 billion this decade.

But what is “reasonable” when it comes to meeting the applicable data-protection standard of care? Over my two decades practicing data protection and cybersecurity law, there has never been a universally accepted standard of care for data protection. One requirement that is widely accepted is that a company must use reasonably secure encryption for data in transit and at rest. Easy, just define “reasonably secure encryption” and we’ll know how to meet the standard of care and protect our companies and customers.

For most of this century, several encryption algorithms have been blessed by the U.S. National Institute of Standards and Technology (NIST) for specific uses. Though without direct legal authority over private-sector entities, NIST approves encryption standards for much of the U.S. Government and NIST’s encryption standards have been adopted by much of the private sector. As such, most courts likely would find that compliance with NIST requirements meets the standard of care.

Read the full article on CPO Magazine: