The IT Law Wiki

This wiki's URL has been migrated to the primary domain.Read more here


The IT Law Wiki


Reasonable security means that safeguards must not pose a higher risk to the organization than the lack of safeguards poses to others.


Reasonable security is required by the Federal Trade Commission (FTC) and under many data security laws such as:

State Privacy/Consumer Data Laws[]

CCPA - "duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information"

Colorado - "requires certain persons and entities to take reasonable steps to protect PII."

DC Security Breach Protection Amendment Act - "Implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and the nature and size of the entity or operation."

Ohio Data Security Law - "implement reasonable information security controls"

Virginia Consumer Data Protection Act (“VCDPA”) - "Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data."

Guidance on Reasonable Security[]

Duty of Care Risk Analysis (DoCRA) - Duty of care risk analysis helps organizations determine whether they apply safeguards that appropriately protect others from harm while presenting a reasonable burden to themselves.

The Sedona Conference released its Commentary on a Reasonable Security Test to help the regulatory and litigation communities “move the law forward in a reasoned and just way.” The Sedona Conference is a nonpartisan, nonprofit 501(c)(3) research and educational institute dedicated to the advanced study of law and policy in the areas of antitrust laws, complex litigation, intellectual property rights, and data security and privacy law.