This Sedona Conference Publication Can Help Identify a Reasonable Security Test for PII: eDiscovery Best Practices

A few days ago, The Sedona Conference® (TSC) and its Working Group 11 on Data Security and Privacy Liability (WG11) announced a new commentary on a reasonable security test.  Here’s information on what it’s about and where you can find it.

TSC and WG11 announced that The Sedona Conference Commentary on a Reasonable Security Test (“Commentary”) has been published for public comment.  It’s available for download for FREE here. As TSC notes in their announcement email, WG11 developed this Commentary to address what “legal test” a court or other adjudicative body should apply in a situation where a party has, or is alleged to have, a legal obligation to provide “reasonable security” for personal information, and the issue is whether the party in question has met that legal obligation.

It proposes a reasonable security test that is designed to be consistent with models for determining “reasonableness” that have been used in various other contexts by courts, in legislative and regulatory oversight, and in information security control frameworks. All of these regimes use a form of risk analysis to balance cost and benefit. The proposed test provides a practical method for expressing cost/benefit analysis that can be applied in data security regulatory actions, to litigation, and to information security practitioners using their current evaluation techniques. The Commentary also explains how the analysis should apply in the data security context. Because the test is rooted in commonly held principles, the drafters believe it offers methods for deriving reasonableness that are familiar to all interested parties. But it should be noted that depending on their text, individual laws or rules that require reasonable security might require use of a different analysis.

The Commentary is contained within a 57-page PDF guide.  In addition to a 4-page, multi-part Introduction and a 1-page Conclusion, the Commentary is comprised of two primary parts and 1 Appendix, as follows:

  • Part I provides an overview of the test itself, including articulation of the test and explanation of the test (including controls, burdens, benefits, when to apply the test, illustrations of the application of the test, etc.);
  • Part II addresses additional discussion, including the work that led to the test, all the things “ruled out” and the importance of flexibility.
  • An extensive Appendix A with three exemplar cases that reflect “the facts, issues, and causes in each scenario” with “common components of breaches that the drafters have been professionally involved in.”

The Commentary is open for public comment through November 18, 2020. As always, questions and comments may be sent to comments@sedonaconference.org. The drafting team will carefully consider all comments received, and determine what edits are appropriate for the final version.  And, a webinar on the Commentary will be scheduled in the coming weeks, and will be announced by email and on The Sedona Conference website.  It will be interesting to see what comments the WG11 team receives regarding this ever-evolving topic.

Also, just a reminder that on Wednesday, October 7th, ACEDS will conduct the webinar “Zooming” into 2021 with Audio/Video Discovery, sponsored by Nexidia at 1pm ET (noon CT, 10am PT).  In this presentation, join Brett Burney, Principal of Burney Consultants LLC, Ashley Griggs, Director of Legal Markets at Nexidia and me to learn how to address the trends and challenges of audio/video discovery in 2021 and beyond!

So, what do you think?  Have you checked out this latest TSC Commentary yet?  If so, what did you think?   Please share any comments you might have or if you’d like to know more about a particular topic.

ProSearch

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Leave a Reply