On February 16, 2021, The Sedona Conference (TSC) – a nonpartisan, nonprofit research and educational institute “dedicated to the advanced study of law and policy in the areas of antitrust law, complex litigation and intellectual property rights”, released its final “Commentary on a Reasonable Security Test“. TSC is well known for previously helping Courts around the country determine the proper contours of e-discovery.
Recognizing that cybersecurity reasonableness crosses both legal and technology domains, TSC sought a reasonableness test that would help bridge that divide. Accordingly, the proposed test for reasonable security was designed to be consistent with “models for determining reasonableness that have been used in various other contexts by courts, in legislative and regulatory oversight, and in information security control frameworks.” The Sedona Conference, Commentary on a Reasonable Security Test, 22 SEDONA CONF. J. 345, 358 (forthcoming 2021). To that end, this test is ultimately based on the landmark Learned Hand negligence test in United States v. Carroll Towing Co., 159 F.2d 169, 173 (2nd Cir. 1947).
The Sedona Conference Reasonable Security Test consists of “B2 – B1 < (P x H)1 – (P x H)2” where B represents the burden, P represents the probability of harm, H represents the magnitude of harm, subscript 1 represents the controls (or lack thereof) at the time the information steward allegedly had unreasonable security in place, and subscript 2 represents the alternative or supplementary control. 22 SEDONA CONF. J. at 360.
TSC’s Commentary should be carefully studied for numerous reasons, including the fact TSC applies it to actual recent enforcement actions and provides solid arguments for its judicial application. No different than its highly cited e-discovery initiatives, this new TSC approach may very well be relied on by courts tackling the important question of what constitutes reasonable security in the context of a data breach litigation or enforcement action.