Reasonable Security in the Law

Many laws require that businesses implement “reasonable security” practices and procedures or reasonable security safeguards.   Some of these include GLBA, HIPAA, CCPA and the NY SHIELD Act.  To many the definition of reasonable security is elusive and ambiguous. I speak with many attorneys that focus on privacy and data security. Whenever I meet a new one, I ask for their definition of “reasonable security”. There is a definition based on tort law. To the chagrin of many business leaders and IT leaders, since “reasonable security” is a legal term, it is not easily translated into a specific list of safeguards that must be implemented. All laws that speak about “reasonable” require that foreseeable or “likely” security events are identified and addressed with safeguards. And that the safeguards not only protect the business, safeguards are implemented that protect others for whom the business has a “duty of care”.

A Risk-based Approach to Reasonable Security

It turns out that the translation of reasonable security from a legal term into a list of implementable safeguards will be unique for each business. This is because as a “duty of care”, the business needs to protect itself, its customers and others.  These stakeholders and the assets that a business needs to protect are unique to each business.  Security laws are designed to support this if the business uses a risk-based approach to define and implement safeguards.   This is done by following a process of identifying assets to be protected, the threats to those assets, then prioritizing and aligning administrative, technical and physical safeguards to the assets.

How to Get to Reasonable

Ultimately, “Reasonable” means that the business can show that it has exercised its duty of care to others and limited the burden to the business at the same time.   Reasonable means reasonable to everyone.  In many businesses, the IT organization is asked to recommend technical controls like firewalls, password strength, and encryption.   Since this approach does not clearly show that the business has foreseen the impact to the business, customers and others, it can’t be shown to be reasonable.

For a more detailed discussion of laws and reasonable security, read our white paper called Reasonable Security.

Learn more about our virtual CISO services here.