Simplify Data Protection with a Risk-Based Approach to ‘Reasonable Security’

The exponential increase in the digitalization of data has been a double-edged sword for most organizations. Digitalization increases new business opportunities by facilitating a better understanding of an organization’s stakeholders, including customers and suppliers; however, it also increases risks related to security and privacy. Adding to this trade-off challenge is the rapid evolution of cyberthreats and disruption associated with the economic impact of ransomware.  

Trying to keep up has put organizations in an almost impossible position, and simply increasing cybersecurity spending isn’t the answer. Organizations need a risk management approach that is resilient and sustainable — a model that helps them evaluate IT investments, scale cyber controls based on the sensitivity of specific data and maintain compliance with the increasing expectations promulgated in issued privacy and security regulations. 

To meet regulatory and industry expectations, which vary from being highly prescriptive (such as PCI-DSS) to more principle-based (such as current Securities and Exchange Commission disclosures regarding “material” cyber incidents), organizations need to demonstrate they have implemented an information security program that is “reasonably designed.” Since each firm and its data are unique, a reasonably designed security program is the function of the organization’s specific cyber risks and the information that’s most valuable to them, and the data that is the most regulated. Let’s look at what that means and how organizations can get there.

To start, we have to differentiate between data privacy, a legal concept for individuals’ right to the confidentiality of their personal information, and data security, which is the protection of organizational data. Organizations need to know where they are subject to jurisdictional oversight for both. 

Depending on where an organization does business, it may be subject to the European Union’s General Data Protection Regulation and a variety of U.S. data privacy statutes, such as HIPAA for healthcare organizations or the Gramm-Leach-Bliley Act for financial institutions. Without a single comprehensive federal law, it may also fall under a patchwork of state laws. Once an organization determines what regulations it is subject to, it can decide what it must do from a risk and compliance perspective to meet those various requirements.

It’s important to note that regulators are increasing their focus on security and privacy violations. For example, in 2023, changes to the Federal Trade Commission’s Safeguards Rule go into effect that will impact an expanded scope of firms requiring enhanced controls across consumer information (an earlier deadline of Dec. 9, 2022, was extended by the agency). The FTC has been an active regulator, particularly for companies that misrepresent the robustness of their privacy controls to consumers, and violations of the new Safeguards Rule provisions can be in excess of $40,000 per day. In addition to increased enforcement of FTC privacy regulations, the U.S. Department of Justice announced in 2021 a new cyberfraud initiative covering government contractors and grant recipients whose cybersecurity practices violate the False Claims Act. The DOJ recently announced a settlement of $9 million with a single firm for federal government contract cybersecurity violations.

When we look at various regulatory actions that have occurred, we can identify a few key takeaways. 

First, data privacy is a legal concept. Second, regulators assess organizations’ information security programs based on whether they are reasonably designed to protect the security, confidentiality and integrity of personal information. (It’s worth noting, too, that the definition of personal information continues to evolve alongside advances in biometrics, geolocation and other areas.) All of this can be confusing for organizations, but the ultimate goal is to establish “reasonable security” because that is defensible from a legal perspective and, more important, provides a framework of common understanding and expectations. 

Although this objective may be burdensome and may require a cross-functional effort, organizations should be able to identify the types of data they collect, process and share across their information assets. In certain jurisdictions, this information is necessary to meet legal requirements. For instance, if an organization is subject to the California Consumer Privacy Act and a consumer wants his or her data removed, the organization must know where it lives to comply with the request.  The starting point for this approach is data classification and data mapping, with sensitivity levels that dictate who has access to data, how organizations should dispose of data and other factors. Without knowledge of how data pulses throughout an organization, it will be difficult to argue that the reasonable security standard can be met. 

So, what constitutes reasonable security? The answer is unique to each organization, but certain control practices have become widely used and accepted, such as multifactor authentication, endpoint protection, incident response and data encryption.  

Underlying these controls should be strong governance oversight by a board of directors and robust, ongoing risk assessments that serve to prioritize technical and administrative resources to mitigate the likelihood and magnitude of an adverse cyber incident.  Efficacy matters: Internal controls designed well but not operationally effective don’t constitute reasonable protection.

Because resources are limited, the best strategy is to establish a risk-based, rational allocation approach to guide decision-making on all cybersecurity investments, focused on incremental cost and benefit, similar to investment models used in other business areas. Such a model enables organizations to understand their cyber risk and control posture using an accepted cybersecurity framework and assess security investments accordingly. That can help organizations break the cycle of increasing their cybersecurity budgets without seeing a corresponding risk reduction. Robust risk-based models also ensure that organizations are addressing jurisdictional requirements while also allowing them to scale their defenses based on the sensitivity of the data they need to protect.

Story by Larry Burke, CPA, CGMA, CITP, a principal with the Global Security Strategy Office of Focal Point.  He serves as an executive leader providing governance, risk and compliance advisory and assurance services, mostly to large global organizations operating in industries under various regulatory and industry frameworks including SOX, NIST, ISO, COBIT, COSO and FTC consent orders.  He also serves as the lead audit executive for several internal audit outsource and co-source engagements reporting to the Audit Committee.  Before Focal Point was acquired by CDW in 2021, he served as the managing partner of Focal Point Data Risk Assurance, which is a CPA firm that issued SOC 1/2/3 and HITRUST reports.  Previously, Burke served as the CFO of a national healthcare services firm. He has also held progressive financial leadership positions in both publicly traded companies and in public accounting.  He is a doctoral candidate in the executive Ph.D. program at Florida Atlantic University.