Reasonable security means that safeguards must not pose a higher risk to the organization than the lack of safeguards poses to others.
- HIPAA - "The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI."
- California IoT Act - "a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure."
- Genetic Information Privacy Act (“GIPA”) - "a direct-to-consumer genetic testing company to implement and maintain reasonable security procedures and practices to protect a consumer's genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data."
- Florida's Protecting DNA Privacy Act - "A business that collects a consumer’s personal 383 information shall implement reasonable security procedures and 384 practices appropriate to the nature of the personal information 385 to protect the personal information from unauthorized or illegal 386 access, destruction, use, modification, or disclosure."
State Privacy/Consumer Data Laws
CCPA - "duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information"
Colorado - "requires certain persons and entities to take reasonable steps to protect PII."
DC Security Breach Protection Amendment Act - "Implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and the nature and size of the entity or operation."
Ohio Data Security Law - "implement reasonable information security controls"
Virginia Consumer Data Protection Act (“VCDPA”) - "Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data."
Guidance on Reasonable Security
Duty of Care Risk Analysis (DoCRA) - Duty of care risk analysis helps organizations determine whether they apply safeguards that appropriately protect others from harm while presenting a reasonable burden to themselves.
The Sedona Conference released its Commentary on a Reasonable Security Test to help the regulatory and litigation communities “move the law forward in a reasoned and just way.” The Sedona Conference is a nonpartisan, nonprofit 501(c)(3) research and educational institute dedicated to the advanced study of law and policy in the areas of antitrust laws, complex litigation, intellectual property rights, and data security and privacy law.