Reasonable Security in the Law

Many laws require that businesses implement “reasonable security” practices and procedures or reasonable security safeguards.   Some of these include GLBA, HIPAA, CCPA and the NY SHIELD Act.  Many find that the definition of reasonable security is elusive and ambiguous. I speak with many attorneys that focus on privacy and data security. Whenever I meet a new one, I ask for their definition of “reasonable security”. To the chagrin of many business leaders and IT leaders, “reasonable security” is a legal term. It is not easily translated into a specific list of safeguards that must be implemented. All laws that speak about “reasonable” require that foreseeable or “likely” security events are identified and addressed with safeguards. And that the safeguards not only protect the business, safeguards are implemented that protect others for whom the business has a “duty of care”.

A Risk-based Approach to Reasonable Security

The translation of reasonable security from a legal term into a list of implementable safeguards will be unique for each business. This is because as a “duty of care”, the business needs to protect itself, its customers and others.  These stakeholders and the assets that a business needs to protect are unique to each business. This is done by following a process of identifying assets to be protected, the threats to those assets, then prioritizing and aligning administrative, technical and physical safeguards to the assets.  

How to Get to Reasonable

Ultimately, “Reasonable” means that the business can show that it has exercised its duty of care to others and limited the burden to the business at the same time.   Reasonable means reasonable to everyone.  In many businesses, the IT organization is asked to recommend technical controls like firewalls, password strength, anti-malware, data loss prevention and encryption.   If the organization does not start with a risk assessment, this approach is flawed.  The act of doing and regularly updating a risk assessment is required to show that business have attempted to foresee threats and the impact to the business, customers and others. It is important to note that technical controls are not the only safeguards that mitigate risk.  Administrative controls, including policies and procedures are important as well as physical controls. 

For a more detailed discussion of laws and reasonable security, read our white paper called Reasonable Security.

Learn more about our virtual CISO services here.