Defining 'Reasonable' Cybersecurity: Lessons from the States

51 Pages Posted: 10 Sep 2021 Last revised: 25 Feb 2022

See all articles by Scott Shackelford

Scott Shackelford

Indiana University - Kelley School of Business - Department of Business Law; Harvard Kennedy School Belfer Center for Science & International Affairs; Center for Applied Cybersecurity Research; Stanford Center for Internet and Society; Stanford Law School

Anne Boustead

University of Arizona - School of Government and Public Policy

Christos Makridis

Stanford University; Columbia University - Columbia Business School; Arizona State University (ASU); Department of Veterans Affairs (VA)

Date Written: September 7, 2021

Abstract

Questions over what constitutes ‘reasonable’ cybersecurity reporting and operating practices have long vexed businesses, and policymakers. Given a lack of clear guidance from Congress, states have filled the vacuum by passing a series of laws requiring “reasonable” cybersecurity such as for manufacturers of Internet-connected devices. Other states have elected instead to provide safe harbors, like Ohio, which rewards companies for investing in a pre-determined list of recognized cybersecurity standards and frameworks – such as the National Institute for Standards and Technology (NIST) Cybersecurity Framework – by minimizing liability in the aftermath of a data breach. This Article: (1) summarizes the current state of state-level cybersecurity policymaking with a special emphasis on how states are defining “reasonable” cybersecurity; (2) discloses the results of a statewide survey on cybersecurity perceptions and practices among organizations in Indiana done in partnership with the Indiana Attorney General’s Office; and (3) makes a series of suggestions based on these findings about how to better educate and incentivize firms about instituting reasonable cybersecurity best practices.

Keywords: cybersecurity, safe harbor

Suggested Citation

Shackelford, Scott J. and Boustead, Anne and Makridis, Christos, Defining 'Reasonable' Cybersecurity: Lessons from the States (September 7, 2021). Available at SSRN: https://ssrn.com/abstract=3919275 or http://dx.doi.org/10.2139/ssrn.3919275

Scott J. Shackelford (Contact Author)

Indiana University - Kelley School of Business - Department of Business Law ( email )

Bloomington, IN 47405
United States

Harvard Kennedy School Belfer Center for Science & International Affairs ( email )

79 JFK Street
Cambridge, MA 02138
United States

Center for Applied Cybersecurity Research ( email )

Wylie Hall 105
100 South Woodlawn
Bloomington, IN 47405
United States

Stanford Center for Internet and Society ( email )

Palo Alto, CA
United States

Stanford Law School ( email )

Stanford, CA 94305
United States

Anne Boustead

University of Arizona - School of Government and Public Policy ( email )

315 Social Science Building
Tucson, AZ 85721
United States

Christos Makridis

Stanford University ( email )

Stanford, CA 94305
United States

Columbia University - Columbia Business School ( email )

3022 Broadway
New York, NY 10027
United States

Arizona State University (ASU) ( email )

Farmer Building 440G PO Box 872011
Tempe, AZ 85287
United States

Department of Veterans Affairs (VA) ( email )

810 Vermont Avenue NW
Washington, DC 20420
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
194
Abstract Views
622
rank
211,888
PlumX Metrics