The Standard of Care

Explained Simply

What is considered “reasonable” security—and how courts apply it.

What Is the “Standard of Care” in Cybersecurity?

Think of it like this: if you left your front door open and someone stole your belongings, you’d probably be blamed for not securing your home. The same applies to cybersecurity. When an organization is breached, the question becomes: Did they do enough to protect the data? The standard of care is the legal and professional benchmark that determines whether an organization took reasonable steps to prevent a cyberattack.

Why It Matters to Everyone—Not Just Tech Experts

If you’re a school leader or business owner, you may be held legally responsible for security failures.
If you’re a parent or employee, this standard helps decide whether your data was properly protected.
If you’re a taxpayer, poor cyber hygiene could cost your community millions in recovery.

How Courts Decide What Counts as “Reasonable” Security

There’s no one-size-fits-all rulebook, but courts commonly consider:

1. Industry Frameworks

Respected cybersecurity standards include:

NIST Cybersecurity Framework
CIS Controls
ISO/IEC 27001 Security Standards
Federal and State Defined (e.g. CJIS, Texas Cybersecurity Framework)

2. Legal Cases

FTC v. Wyndham (2015): Failure to use firewalls and change default passwords led to major liability.
In re: Equifax Data Breach (2020): $425 million settlement for failing to patch known vulnerabilities.
Target Data Breach (2017): $18.5 million payout for ignoring security alerts.

3. State and Federal Laws

California Consumer Privacy Act (CCPA)
Gramm-Leach-Bliley Act (GLBA)
FERPA, CJIS, and HIPAA regulations for schools and healthcare
Texas Education Code 11.175
NY Ed Law 2-d

What Happens If You Fall Short?

Lawsuits – for negligence or breach of duty
Regulatory Fines – from state or federal agencies
Insurance Denials – cyber insurers may refuse to pay
Reputation Damage – loss of public trust and business

How to Meet the Standard of Care

Use an appropriate framework to establish a reasonable baseline.
Perform a perpetual risk assessment to identify and rank your vulnerabilities.
Identify your largest gaps: strong passwords, updates, backups, and employee training.
Document your efforts – this is key in audits and legal proceedings.
Continuously improve – cybersecurity is not one-and-done.

Final Takeaway

You don’t need to stop every hacker. But you do need to prove that you took reasonable, documented steps to protect sensitive data. That’s the core of the cybersecurity standard of care.

How Minerva Helps You Meet—and Prove—the Standard of Care

The Minerva Cyber Risk Management Platform was purpose-built to help schools, municipalities, and businesses meet the evolving standard of care in cybersecurity. Backed by patent-pending technology, Minerva doesn’t just help you identify risks—it creates a legally defensible record that shows you took responsible, industry-aligned steps to protect sensitive data.

By combining real-time benchmarking, control maturity scoring, and budget-aligned action plans, Minerva helps you:

Aligns with federal, state, and industry frameworks
Provides visibility into and prioritizes gaps based on your legal risk
Generate clear documentation for board oversight, auditors, and insurers
Demonstrate continuous improvement and responsible stewardship

In a world where “reasonable” isn’t just a buzzword but a legal expectation, Minerva gives you the tools to prove it—clearly, consistently, and defensibly.

Share the Post: