Reasonable Security

A legal standard requiring organizations to implement security measures appropriate to the sensitivity and volume of personal data they process, considering current technology, implementation costs, and potential risks. What constitutes 'reasonable' varies by jurisdiction, industry, and data type. Under GDPR Article 32, this includes pseudonymization, encryption, system resilience, and regular testing. The FTC evaluates reasonableness based on factors like data sensitivity, business size, and cost of safeguards. State breach notification laws often require 'reasonable security' without defining specific measures. Courts consider industry standards, expert practices, and whether security was proportionate to risks. This flexible standard means businesses should regularly reassess security postures, conduct risk assessments, and implement layered defenses including technical controls (firewalls, encryption), administrative policies (access controls, training), and physical security measures.