UPDATE

State “Reasonable Security” Requirements — With Statutory Citations

STATESTATUTORY REQUIREMENT 

Alabama

Businesses handling sensitive personally identifying information must implement and maintain reasonable security measures.

Arkansas

Private-sector entities must take reasonable measures to protect personal information under state data-security law.

California

Covered businesses must implement reasonable security procedures and practices when collecting, maintaining, or storing personal information. (Cal. Civ. Code § 1798.81.5)

Colorado

Entities that maintain personal identifying information must implement reasonable security practices under statute. (Colo. Rev. Stat. § 6-1-713 to -713.5)

Connecticut

Law requires businesses handling personal data to adopt reasonable security safeguards.

Delaware

Controllers or businesses must implement reasonable procedures to protect personal information from unauthorized access, disclosure, or destruction. (Del. Code § 12B-100)

Florida

Entities acquiring or maintaining personal information must take reasonable measures to protect such data. (Fla. Stat. § 501.171)

Illinois

Businesses that own or license, or store personal information must implement and maintain reasonable security measures. (815 ILCS 530/45)

Kansas

Holders of personal information must exercise reasonable care and maintain appropriate security procedures. (Kan. Stat. Ann. § 50-6,139b)

Louisiana

Entities that own or license computerized data including personal information must maintain reasonable security practices. (La. Rev. Stat. § 51:3074)

Maryland

Businesses that maintain personal information must implement reasonable security procedures and practices. (Md. Code, Com. Law § 14-3503)

Massachusetts

Any person or business storing or using personal information of Massachusetts residents must secure it according to law, including via a comprehensive security program. (Mass. Gen. Laws ch. 93H and associated regulations)

Minnesota

Controllers of personal data must implement reasonable administrative, technical, and physical data security practices, proportionate to the nature and volume of the data. (Minn. Stat. §§ 325M.05, 325M.16)

Nebraska

Entities conducting business in Nebraska that maintain personal information must adopt reasonable security processes and practices. (Neb. Rev. Stat. §§ 87-801 to 807)

Nevada

Businesses that handle nonpublic personal information must implement reasonable security protections. (Nev. Rev. Stat. § 603.210)

New Hampshire

Controllers must establish and maintain reasonable administrative, technical and physical data-security practices to protect personal data. (N.H. Rev. Stat. Ann. § 507-H:6)

New Jersey

Entities processing personal data must maintain reasonable administrative, technical and physical security to protect confidentiality, integrity, and accessibility of the data. (N.J. Stat. § 56:8-166.12)

New Mexico

Businesses owning or licensing personal identifying information of New Mexico residents must maintain reasonable security precautions. (N.M. Stat. §§ 57-12C-4 to -5)

Oregon

Entities that store or process personal information must develop, implement, and maintain reasonable safeguards to protect confidentiality and integrity of personal data. (Or. Rev. Stat. § 646A.622)

Rhode Island

Controllers and processors of personal data must put in place reasonable administrative, technical and physical data-security measures appropriate to the data handled. (R.I. Gen. Laws § 6-48.1-4, § 6-48.1-7)

Tennessee

Persons controlling or processing personal information must implement reasonable security practices to protect confidentiality, integrity, and accessibility of the data. (Tenn. Code Ann. § 47-18-3305, § 47-18-3314)

Texas

“Controllers” and “Processors” handling personal data must implement administrative, technical and physical data-security practices tailored to the type and volume of data. (Tex. Bus. & Com. Code § 541.101, § 541.104)

Utah

Entities doing business in Utah that process personal data must maintain reasonable administrative, technical, and physical data security controls. (Utah Code Ann. § 13-61-302)

Vermont

Data brokers must operate a written information security program with appropriate administrative, physical, and technical safeguards for personal information. (Vt. Stat. Ann. tit. 9, §§ 2446–2447)

Virginia

Controllers of personal data must implement and maintain reasonable security measures to protect the confidentiality, integrity, and availability of personal data. (Va. Code § 59.1-578)

UPDATE NOTES

  • This list is drawn from NCSL’s “Data Security Laws – Private Sector” summary, last updated February 14, 2025.
  • For many states, the statutory citations provide the baseline obligation to implement “reasonable security procedures and practices” appropriate to the nature of the data handled.
  • In states such as Massachusetts, the requirement is more prescriptive: businesses must adopt comprehensive written security programs, periodic evaluation, and safeguards tailored to the amount and sensitivity of data.

__________

Ever since the European Union released the General Data Protection Regulation (GDPR) more than three years ago, state governments across the U.S. have taken steps to establish their own cybersecurity compliance standards.  Some of the more recent legislation has come from California and Colorado.  Both of these regulations outline the punitive measures that an organization will face should they experience a data breach due to an act of negligence.  Punitive fines traditionally encourage companies to comply.  Unfortunately, there are organizations that fall under the jurisdiction of these state compliance regulations but still remain noncompliant.  Hence, the old adage, you can lead a horse to water, but you can’t make him drink, may hold true when it comes to coaxing organizations to take appropriate security measures.

Creating a Safe Harbor for Compliant Enterprises.

Some states are now choosing to take a different approach when it comes to cybersecurity compliance, one that is based on perks rather than punishments.  The idea is to motivate organizations to take the necessary steps to secure their network infrastructures with an affirmative defense for civil lawsuits resulting from a cybersecurity incident.

Connecticut’s Safe Harbor Regulation

Connecticut passed a law on July 6, 2021, that creates a safe harbor for companies that implement reasonable cybersecurity controls.  The law states that in the event of a data breach-like incident that involves personal or restricted information, the Superior Court shall not assess punitive damages against a covered entity if such entity created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework.  The current set of recognized frameworks includes the following:

  • Three different NIST standards
  • FedRAMP
  • ISO 27000 series
  • CIS Controls – The Center for Internet Security’s “Center for Internet Security Critical Security Controls for Effective Cyber Defense”
  • The Health Insurance Portability and Accountability Act (HIPAA)
  • GrammLeachBliley Act 

In order to retain their safe harbor status, organizations must conform to any new revisions of these standards within six months of their publication.  Companies subject to PCI DSS must also comply. The law also clearly states that the provision of safe harbor does not apply if it is found that a company failed to implement reasonable cybersecurity controls or if the data breach was the result of gross negligence or wanton conduct.  Like most government regulations, the scope of the law is based on factors such as a company’s size, the complexity of its operations, and the cost and availability of security controls.

The Connecticut law also expanded the definition of personal information to include data types such as subscriber information, government ID numbers, and biometric information.  It also shortened the notification window for which companies must alert involved parties of a breach involving their personal data (from 90 days to no more than 60).   In addition, the law now allows companies to alert affected parties of a breach concerning their personal login credentials through electronic means. 

Connecticut isn’t the only state to take this approach.  Ohio was the first state to blaze the trail of providing an affirmative defense to escape punitive damages from civil suits levied against companies that were in compliance with a recognized cybersecurity standard at the time of a security incident.    Utah passed a similar law in March of 2021 to encourage entities to maintain reasonable safeguards to protect personal information.  Other states considering a carrot stick approach include Georgia, New Jersey and Illinois. 

Defining Reasonable Security and DoCRA. of these new affirmative defense laws involve the determination of what a reasonable level of security is.  This is also commonly referred to as “duty of care” or “due care.” Determining what one’s duty of care is necessary in order to establish the correct balance between reasonable security and reasonable burden.  After all, cybersecurity protection isn’t free.  One method of determining this acceptable equilibrium is the Duty of Care Risk Analysis Standard (DoCRA).  DoCRA outlines the processes for evaluating risks and their safeguards in a way that is easily communicated and accepted by authorities such as regulators and judges, or anyone who needs to determine whether foreseeable harm could have been prevented by safeguards that would pose a reasonable burden.

The Sedona Conference Reasonableness Test

In February of 2021, the Sedona Conference Working Group 11 (WG11) released a commentary on a reasonable security test.  The purpose of the test is to help regulatory and litigation communities ascertain whether or not an organization implemented reasonable cybersecurity.  Like DoCRA, “the test” would consider both the involved risks as well as the burden of implementing the proposed controls to protect against them.  In an era in which it seems so many parties are scrambling to define “reasonable,” this reasonableness test assists in establishing whether or not a given party met its legal obligations in the event of a cybersecurity incident.

A Holistic Approach to Mitigating Risk

There is no doubt that there is a cost and burden to implementing security controls.  The question is, just how many security controls does one need to implement and support?  Too often, companies apply a best-of-breed approach to cybersecurity.  A new threat is discovered, and security vendors then release a new solution to address it and convince companies to purchase and implement it.  What happens as a result is a disparate group of security tools that work in isolation of one another.  This fragmented approach creates attention gaps as personnel must swivel from one tool to another to monitor the enterprise.  One should not assume that more tools equal greater security.  This paradox was recently exemplified in Cisco’s 2020 CISO Benchmark Survey, which exposed a defined correlation between the amount of security-related downtime experienced by an organization and the number of security vendors it used. 

  • 73% of those who utilized 50+ security vendors experienced 4+ hours of downtime
  • 56% of those who utilized 6-10 security vendors experienced 4+ hours of downtime
  • 58% of those who utilized 2-5 security vendors experienced 4+ hours of downtime
  • 49% of those who utilized 1 security vendor experienced 4+ hours of downtime

A similar correlation was found concerning the number of records impacted during a breach.

  • 81% of those that utilized 50+ security vendors had 10,000+ records impacted
  • 54% of those who utilized 6-10 security vendors had 10,000+ records impacted
  • 35% of those that utilized 2-5 security vendors had 10,000+ records impacted
  • 16% of those who utilized 1 security vendor had 10,000+ records impacted

Because this silo approach to cybersecurity is not achieving the results that companies are seeking today, many companies are looking at cybersecurity from a more holistic view.  This starts with the creation of an effective cybersecurity strategy that utilizes a coordinated approach across all operating units of the organization – from IT to the C-Suite to the customer-facing teams.  Security controls are then selected not according to the latest “buzz” but whether they can work interactively with one another, creating blanket-level security.

How HALOCK can Help

If you’re confused as to what the definition of reasonable is or you want to ensure that you can escape the punitive damages of a cybersecurity lawsuit, even if you don’t live in Connecticut, then contact HALOCK Security Labs. 

As partners with CIS in authoring CIS RAM, serving on the DoCRA Council, and contributing to the Sedona Conference, we are fortunate to have a full perspective of what constitutes reasonable to litigators, regulators, and organizations.  We can partner with you to create a more holistic approach to cybersecurity. Leveraging the reasonable risk approach provides the proper insight into developing effective security strategies. Manage your risk to be reasonable and appropriate to your environment, and protect the privacy of your data

 

Frequently Asked Questions (FAQs) on Reasonable Security

What Is Reasonable Security?

Reasonable Security is appropriate cybersecurity protection for your organization. Based on your size, data types, and risk profile, reasonable security can be a legal standard of care and a cybersecurity best practice, both of which show that you took defensible steps to protect information.

 

Why is “Reasonable” Security Important?

Reasonable security” language is found in most state and federal privacy laws, and regulators have ruled that you must show you took “reasonable” steps to protect sensitive information. Reasonable security does not mean perfect security, but rather security that makes sense based on your risks and resources. Organizations with reasonable security:

  • Have a better chance of avoiding regulatory action after a breach
  • Are better positioned during litigation and investigations
  • Have more support from cyber insurance carriers and adjusters
  • Instill more confidence with clients, partners, and stakeholders

What Laws Reference “Reasonable Security”?In the United States, a variety of state and federal laws require organizations to have “reasonable security practices and procedures.” These include, but are not limited to:

  • California Consumer Privacy Act (CCPA / CPRA)
  • New York SHIELD Act
  • Illinois Personal Information Protection Act (PIPA)
  • Massachusetts 201 CMR 17.00
  • Connecticut Data Privacy Act
  • Gramm-Leach-Bliley Act (GLBA)
  • Federal Trade Commission (FTC) Safeguards Rule
  • General Data Protection Regulation (GDPR) – references “appropriate technical and organizational measures”

The laws do not specify exactly what controls you should use, but they do typically require some defensible evidence that you assessed and mitigated risk appropriately.

 

How Do You Demonstrate Reasonable Security?

The most effective way is through a documented, risk-based assessment process that allows you to show how your organization identifies, prioritizes, and mitigates risks.A legally defensible risk assessment provides a fact-based argument that your actions were prudent, informed, and proportionate.Key elements include:

  • Risk identification: What data, systems, and processes are impacted?
  • Threat and vulnerability analysis: What risks are credible and foreseeable?
  • Impact assessment: What could cause harm to customers, partners, or operations?
  • Control evaluation: What safeguards are reasonable under current conditions?
  • Documentation: Written records of your findings, decisions, and mitigations.

Security and legal frameworks such as NIST SP 800-30, ISO 27005, CIS Controls, and DoCRA (Duty of Care Risk Analysis) can help define and prove what “reasonable” looks like in practice.

What Is the Duty of Care Risk Analysis (DoCRA)?

The Duty of Care Risk Analysis (DoCRA) standard is an approach to establish and document reasonable security for an organization. It states that reasonable security is:“Security that balances the interests of the organization with the interests of others who may be harmed if security fails.”DoCRA helps organizations to review and justify risk decisions, not only from a compliance point of view but also with respect to fairness, proportionality, and legal defensibility. In essence, it considers an organization’s mission, objectives, and obligations. It effectively bridges security, business, and legal aspects in one defensible framework.

How HALOCK Helps Organizations Demonstrate Reasonable Security

HALOCK offers cybersecurity assessments that are risk-based, legally defensible, and aligned with the Duty of Care Risk Analysis (DoCRA) standard.HALOCK assessment helps you to:

  • Identify, quantify, and prioritize cyber risks
  • Select and balance controls with business impact
  • Document a reasonable security posture for regulators, courts, and clients
  • Establish an accountability and continuous improvement process

How Can You Define “Reasonable Security”? Reasonable security means implementing safeguards that are:

  • Appropriate: Based on your business size, industry, and data sensitivity
  • Proportionate: Controls balance protection with business practicality
  • Recognized: Align with accepted frameworks (NIST, ISO 27001, CIS, DoCRA)
  • Documented: You can prove decisions, policies, and risk management actions
  • Adaptive: Regularly reassessed as technology, threats, and operations evolve