Defining 'Reasonable' Cybersecurity: Lessons from the States

51 Pages Posted: 10 Sep 2021 Last revised: 25 Feb 2022

See all articles by Scott Shackelford

Scott Shackelford

Indiana University - Kelley School of Business - Department of Business Law; Indiana University Bloomington - The Vincent and Elinor Ostrom Workshop in Political Theory & Policy Analysis; Center for Applied Cybersecurity Research; Harvard Kennedy School Belfer Center for Science & International Affairs; Stanford Center for Internet and Society; Stanford Law School

Anne Boustead

University of Arizona - School of Government and Public Policy

Christos Makridis

Arizona State University (ASU) - W.P. Carey School of Business; The Gallup Organization; Stanford University - Stanford Institute for Human-Centered Artificial Intelligence; Institute for the Future (IFF), Department of Digital Innovation, School of Business, University of Nicosia

Date Written: September 7, 2021

Abstract

Questions over what constitutes ‘reasonable’ cybersecurity reporting and operating practices have long vexed businesses, and policymakers. Given a lack of clear guidance from Congress, states have filled the vacuum by passing a series of laws requiring “reasonable” cybersecurity such as for manufacturers of Internet-connected devices. Other states have elected instead to provide safe harbors, like Ohio, which rewards companies for investing in a pre-determined list of recognized cybersecurity standards and frameworks – such as the National Institute for Standards and Technology (NIST) Cybersecurity Framework – by minimizing liability in the aftermath of a data breach. This Article: (1) summarizes the current state of state-level cybersecurity policymaking with a special emphasis on how states are defining “reasonable” cybersecurity; (2) discloses the results of a statewide survey on cybersecurity perceptions and practices among organizations in Indiana done in partnership with the Indiana Attorney General’s Office; and (3) makes a series of suggestions based on these findings about how to better educate and incentivize firms about instituting reasonable cybersecurity best practices.

Keywords: cybersecurity, safe harbor

Suggested Citation

Shackelford, Scott J. and Boustead, Anne and Makridis, Christos, Defining 'Reasonable' Cybersecurity: Lessons from the States (September 7, 2021). Available at SSRN: https://ssrn.com/abstract=3919275 or http://dx.doi.org/10.2139/ssrn.3919275

Scott J. Shackelford (Contact Author)

Indiana University - Kelley School of Business - Department of Business Law ( email )

Bloomington, IN 47405
United States

Indiana University Bloomington - The Vincent and Elinor Ostrom Workshop in Political Theory & Policy Analysis ( email )

513 N. Park Avenue
Bloomington, IN
United States

Center for Applied Cybersecurity Research ( email )

Wylie Hall 105
100 South Woodlawn
Bloomington, IN 47405
United States

Harvard Kennedy School Belfer Center for Science & International Affairs ( email )

79 JFK Street
Cambridge, MA 02138
United States

Stanford Center for Internet and Society ( email )

Palo Alto, CA
United States

Stanford Law School ( email )

367 Panama St
Stanford, CA 94305
United States

Anne Boustead

University of Arizona - School of Government and Public Policy ( email )

315 Social Science Building
Tucson, AZ 85721
United States

Christos Makridis

Arizona State University (ASU) - W.P. Carey School of Business ( email )

Tempe, AZ 85287-3706
United States

The Gallup Organization ( email )

Washington, DC 20004
United States

Stanford University - Stanford Institute for Human-Centered Artificial Intelligence ( email )

210 Panama St.
Cordura Hall
Stanford, CA 94305
United States

Institute for the Future (IFF), Department of Digital Innovation, School of Business, University of Nicosia ( email )

Nicosia, 2417
Cyprus

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
506
Abstract Views
2,408
Rank
139,549
PlumX Metrics