What is "reasonable security"? And how to meet the requirement

Privacy regulations such as the GDPR and CCPA require companies to provide "reasonable security" to protect customers' personal information. Here's how you might best achieve that standard.

compliance compliant regulation rules stamp gdpr
Aquir Getty Images

“Reasonable security” has been a requirement set by regulations such as the California Consumer Privacy Act (CCPA) and California’s AB 1950. Failure to meet the requirement could be the basis of a common tort legal cause of action called “negligence.” A “cause of action” is a reason you can sue someone, and a tort is a wrong that allows an injured party to seek relief from a court in a civil suit.

To sue someone for negligence, you have to usually prove four elements:

  1. The defendant had a duty to the plaintiff
  2. The defendant breached the duty
  3. The breach of defendant’s duty was the cause of plaintiff’s harm
  4. The harm to the plaintiff resulted in articulable damages.

When someone gives a company sensitive data, that company has a duty to protect and handle that data responsibility. How can security management tell if their company is properly safeguarding that data from a legal and regulatory perspective?

Courts have to assess your actions against a standard to determine if those actions were “reasonable.” Reasonable actions are usually based on an objective standard of how a reasonably prudent person in the same or similar circumstances would behave.

To continue reading this article register now

Make your voice heard. Share your experience in CSO's Security Priorities Study.