Revisiting Reasonable Cybersecurity

Prospective theories of cybersecurity liability have traveled over some well-worn paths over the past three decades, resulting in some successes, but also in at least as many cul-de-sacs and dead ends. Part of this problem can be found in the difficulty and complexity of the subject itself. Courts, legislators, and regulators all face comprehension difficulties when they attempt to fit our existing legal system around cybersecurity, often resulting in half-measures and generalized solutions that are challenging to apply to the widely different technical details behind each case. And in the background, we have a general reluctance to create legal regimes that might unnecessarily hinder the technology industry.

The resulting legal landscape for cybersecurity is an incoherent and ineffectual mess. But as our political, military, economic, infrastructural, and social systems continue to increase their dependency on potentially insecure software and hardware, our timidity and indecision around cybersecurity liability incurs greater real-world harms. Because of our muddled and incomplete cybersecurity legal frameworks, the associated costs are not necessarily borne by the appropriate or most culpable parties. The gaps in our current legal and regulatory frameworks make it next to impossible to consistently and reliably apportion damages or apply incentives and reduce cybersecurity policies to a series of wish lists.

This Article means to advance the cybersecurity liability conversation by taking another look at what are considered “reasonable” cybersecurity practices informed by current accepted frameworks, regulatory decisions, case law, policy goals, and other lessons learned. The Article will rely heavily on common law standards of reasonableness, but will also look to standards used within other legal theories and policy frameworks. This Article borrows useful components of reasonableness from an array of sources to derive a test to assess the reasonableness of cybersecurity-related actions and choices. This test is meant to provide a flexible standard that is technically grounded, empirically precise, yet accessible enough for courts and lawmakers to fairly apply to cybersecurity cases that are sure to present new challenges as our technologies continue to evolve.


* Georgia State University College of Law. The author would like to thank Steve Bellovin, Bryan Choi, Jeff Kosseff, Susan Landau, Alan Rozenshtein, Josephine Wolff; the organizers and participants of the 2023 Cybersecurity Law and Policy Scholars Conference; the faculty at the University of Oklahoma College of Law; and the participants of the 2024 Georgia State University College of Law Faculty Workshop.