State laws, legal cases, grant requirements, cyber insurance, and those impacted by data exposure all may refer to the term “reasonable cybersecurity” when it comes to an institution’s responsibility to safeguard data. But what does “reasonable” mean? What are the measures to implement, maintain, and audit, to achieve a reasonable level of cybersecurity?
The short answer might be “ask your lawyer”, but looking at US federal enforcement actions along with expert guidelines provides a starting point for answering these questions. The US Center for Internet Security (CIS) published “A Guide to Defining Reasonable Cybersecurity” in October 2024. In addition, in June 2024 Isabella Wright and Maia Hamin co-authored an Atlantic Counsel article analyzing a number of Federal Trade Commission enforcement actions against organizations where the organization was ruled as not adequately securing consumer information. Both the FTC actions and CIS recommendations yield common themes.
General Reasonable Practice: Implement and continue to follow a nationally/internationally recognized cybersecurity framework.
The CIS publication advocates their CIS Controls framework as a path to reasonable protection. The CIS guide also examined state laws where “safe harbor” protections for liability exist in the case of a cybersecurity breach; the common theme in these state laws: implementing and following an industry-recognized cybersecurity framework, with state laws providing example frameworks of the NIST Cybersecurity Framework or CIS Controls.
Implement Specific Reasonable Mitigations
The following are the Atlantic Counsel’s “baseline cybersecurity practices” derived from looking at FTC punitive actions taken, related to a lack of these specific mitigations:
- Data encryption
- Vulnerability reporting, monitoring, and mitigation
- Safe credential practices
- Multi-factor authentication
- Network access monitoring and controls
- Maintain a written cybersecurity program
- Testing and auditing
- Minimized data retention
- Minimized access
- Employee and personnel training
This list of ways to achieve minimal “reasonable” cybersecurity also aligns with implementation of a cybersecurity framework such as NIST or CIS Controls.
“Reasonable” may include different details depending upon the nature of the data involved, resources available to the organization, and skills and budget; cyber insurance may also provide specific criteria. But in general, stakeholders, the legal system, and the public value and expect the implementation of safe cyber practices.
References
Center for Internet Security (October 2024) “A Guide to Defining Reasonable Cybersecurity Version 1.1”. Accessed 26 February 2025.
Isabella Wright and Maia Hamin (June 12, 2024) “Reasonable” Cybersecurity in Forty-Seven Cases: The Federal Trade Commission’s Enforcement Actions Against Unfair and Deceptive Cyber Practices”. Accessed 26 February 2025.