What is reasonable security in 2026?
Reasonable security is the balanced approach for cybersecurity regulations, breach litigation, and organizational accountability. State privacy laws are maturing. Enforcement is increasing. And organizations are facing fines and lawsuits if they cannot demonstrate reasonable security. They must show they implemented safeguards that are appropriate, risk-based, and defensible.
Reasonable security is a term that has been gaining traction among the law, regulators, cyber insurers, and boards. It is not a new concept. But by 2026, reasonable security will no longer be an amorphous legal standard. Instead, it is a threshold that attorneys, regulators, and cyber insurance carriers will use to hold organizations to objective decision-making frameworks that weigh security controls against mission and business obligations as well as reasonably foreseeable risks.
Here are some insights and tactics that will help your organization define, measure, document, and demonstrate reasonable security in 2026 and beyond.
What does “reasonable security” mean?
Reasonable security is not an abstract legal term. Reasonable security is a process of risk assessment based on a thorough understanding of the likelihood and impact of threats, the sensitivity of the information and criticality of systems, and the burden of implementation. Reasonable security is not perfect security. Reasonable security is appropriate security. Reasonable security is becoming the standard by which courts and regulators evaluate whether organizations were negligent in breach cases.
Reasonable security means having cybersecurity measures that are aligned with risks, feasible with current security technologies, and do not place disproportionate burdens on an organization’s security programs. Reasonable security also means documenting decisions so that the choices are defensible to courts and regulators. Reasonable security, defined this way, is neither strict liability nor negligence.
Risk-based decision making is at the heart of reasonable security. At its foundation, it is an understanding that cyber risk tolerance may vary by industry, sector, size, geography, exposure, and more. Risk tolerance will vary not just by technical cyber risk but also by:
- Likelihood and impact of a cyber event. For example, a healthcare organization may place a higher emphasis on security measures to protect personal health information (PHI) due to the sensitive nature of the data it processes. A credit card company may focus heavily on preventing fraud and financial losses.
- Criticality of digital assets. For instance, if an organization’s core business relies on its online presence, such as an e-commerce platform, it will likely invest more heavily in cybersecurity to protect its website and online transactions. A financial institution will have a different risk profile than a manufacturing company based on its digital assets.
- Mission and business obligations. Some organizations are custodians of highly sensitive personal information and have contractual, ethical, and fiduciary obligations to manage and protect it. An organization’s mission, such as a healthcare provider or financial institution, can also influence what it considers to be “reasonable” security. Consumer expectations and contracts will also inform business obligations.
- Burden of implementing controls. Reasonable security must be technically and financially feasible for an organization. If a recommended security measure is cost-prohibitive or requires specialized knowledge and resources that are not easily accessible, it may be challenging for the organization to implement.
How do I demonstrate reasonable security?
The cornerstone of a strong, reasonable security program is a clearly documented, thorough risk-based decision-making framework that measures and weighs risks and security measures. Organizations with mature data privacy programs and robust cybersecurity policies are well-positioned to meet the reasonable security bar.
Decision-making can be as complex or as simple as needed to balance risk and security, and must be done for every safeguard that is adopted. One useful starting point is to build on existing frameworks that organizations are already using and codify three sets of considerations that make up an appropriate standard of care.
There are three key decision-making factors: foresight of consequences to one’s self (your stakeholders), foresight of consequences to others (societal risk), and a balancing of those harms with the burden of duty (operational harm or cost). This balance between stakeholder protection, organizational burden, and societal risk has significant parallels with security risk analysis. Duty of Care Risk Analysis (DoCRA) establishes how organizations can define reasonable security through the company’s mission, objectives, and obligations.
DoCRA provides the most useful starting point for CISOs, general counsel, risk management, executives, and auditors looking to develop and document strong, reasonable security standards.
Organizations that embrace risk-balanced decision-making have seen more meaningful buy-in from decision-makers and boards, clearer accountability for those decision-makers, and far more legal defensibility. Reasonable security should be the best practice in 2026.
Reasonable Security in 2026: FAQs
What does “reasonable security” mean under current laws?
Reasonable security means that a covered entity took “cybersecurity measures that were appropriate for the risks to the personal information at issue, the entity’s particular business context, and its particular information protection obligations.”
Regulators increasingly define “reasonable” cybersecurity as: Safeguards that reduce risk to the public without being more burdensome than the risk itself.
Is reasonable security a legal requirement?
Yes, several states’ major privacy laws have an explicit requirement for reasonable security. Reasonable security is also increasingly the benchmark with which regulators, like the FTC, evaluate corporate cybersecurity.
How can organizations show reasonable security?
By documenting a risk-based process that measures threats, safeguards, and the burden of business impacts. Duty of Care Risk Analysis (DoCRA) provides the roadmap to establish ‘reasonable security’.
Does reasonable security require certain controls?
Reasonable security requires safeguards appropriate for your organization’s risks. Appropriate safeguards are often ones that support standards from NIST CSF, CIS Controls, or ISO, for example.
What is the best way for organizations to measure and document reasonable security?
By adopting DoCRA. Why? Because it weighs the main factors that courts frequently use in negligence evaluations.
Review Your Security and Risk Posture
