Defining “Reasonable” Cybersecurity: Lessons From the States

Scott J. Shackelford
Anne Boustead & Christos Makridis
25 YALE J.L. & TECH. 86

Questions over what constitutes “reasonable” cybersecurity reporting and operating practices have long vexed businesses and policymakers. Given a lack of clear guidance from Congress, states have filled the vacuum by passing a series of laws requiring “reasonable” cybersecurity such as for manufacturers of Internet- connected devices. Other states have elected instead to provide safe harbors, like Ohio, which rewards companies for investing in a pre- determined list of recognized cybersecurity standards and frameworks—such as the National Institute for Standards and Technology (NIST) Cybersecurity Framework—by minimizing liability in the aftermath of a data breach. This Article: (1) summarizes the current state of state-level cybersecurity policymaking with a special emphasis on how states are defining “reasonable” cybersecurity; (2) discloses the results of a statewide survey on cybersecurity perceptions and practices among organizations in Indiana done in partnership with the Indiana Attorney General’s Office; and (3) makes a series of suggestions based on these findings about how to better educate and incentivize firms about instituting reasonable cybersecurity best practices.