• How Much Is Enough? Applying the “Rule of Reason” to Data Security

    Business leaders need to ask: Will the benefits from making additional investments in cybersecurity outweigh the risks from not making them?

    Economic theory suggests that a “rational” company will enhance data security only up to the point where:

    Cost of incremental security ≤ probability of breach × cost of breach

    In finding that tipping point, corporate decision makers may find it helpful to borrow a fact-based “rule of reason” approach from competition regulation. In antitrust litigation, the “rule of reason” approach acknowledges that, even if anticompetitive actions can be proven, they may also be offset by procompetitive effects.

    Applied to data security, this means that decision makers first should take a hard look at the data their company maintains, what value those data provide, and how secure the company’s systems and processes are. (See table.)

    How Much Is Enough? Applying the “Rule of Reason” to Data Security- Figure 1

    They then will need to consider all three components of the data security equation:

    1. Probability of a breach: “How likely are we to suffer a breach?” In general, a company’s risk may increase depending on how many records or accounts it maintains or to which it has access, how sensitive its data are (e.g., financial data, health care data, personally identifiable information), and how well it protects its points of vulnerability.
    2. Cost of a breach: “What would the economic impact be on our business if we did suffer a breach?” The cost of a breach encompasses all direct and indirect costs that a business incurs to respond to and recover from a data breach after it occurs. This comes in two primary forms: lost business, and the costs associated with responding to the breach.
    3. Cost of incremental security: “What additional measures could we take to guard against a breach or reduce its impact to our business, and at what cost?” By assessing the effectiveness of the organization’s existing data security measures relative to the risks it faces, a business can identify and evaluate its options, and the associated costs, for addressing existing or potential weaknesses.

    With this “rule of reason” approach to data security, businesses can continuously reevaluate tradeoffs between the economic risk of a data breach and the costs of mitigating the risk. ■ 


    Almudena Arcelus, Senior Advisor
    Brian Ellman, Principal
    Randal S. Milch, Co-Chair, NYU Center for Cybersecurity

    Adapted from “How Much is Data Security Worth?” by Almudena Arcelus, Brian Ellman, and Randal S. Milch, The SciTech Lawyer, Spring 2019.