It is fair to argue that in many, if not all, of the recent large-scale cases in the news, the companies made basic errors and clearly did not exhibit a standard of care. But surely we cannot stop at Justice Potter Stewart’s “I know it when I see it” test. That is not replicable or predictable enough to meet basic tenets of justice. For the proactive company, and as a guide for judges to standardize their calculus, presumably there should be some standards of cybersecurity competence or exhibitions of care that courts take into account. In this article, we examine the evidence of care that courts have deemed successful and unsuccessful.
via What Cybersecurity Standard Will a Judge Use in Equifax Breach Suits? – Lawfare