What the H**L Does Reasonable Data Security Really Mean?

For anyone who’s spent time looking at data security laws and regulations, you can’t help but come across the words “reasonable security”, or its close cousin “appropriate security”.  You can...
Michael Buckbee
3 min read
Last updated June 16, 2023

For anyone who’s spent time looking at data security laws and regulations, you can’t help but come across the words “reasonable security”, or its close cousin “appropriate security”.  You can find this legal verbiage in state breach notification laws, in HIPAA’s Security Rule (“reasonable and appropriate” security), in FERPA, and many other federal data security laws and guidances. So what does it mean?

Therein lies a story. Not being too specific about security controls in these laws turns out to have been a good thing. It indirectly forced security industry to look at larger and more general issues involving data security.

Get the Free Pentesting Active
Directory Environments e-book

found in many state data security and breach notification laws
The requirement for “reasonable security” is found in many state data security and breach notification laws.

I’m getting a little ahead of myself.  Fortunately, I’m standing on the shoulders of legal giants. As I discovered, the meaning of reasonable security came about when the US federal government tried to come up with an initial definition of appropriate security safeguards. If you want to learn more and get the full story, legal eagles should review this illuminating white paper.

Secret Origins of Reasonable Security Revealed!

Back in the early days of the Internet (circa 2001), regulators were trying to  interpret the Gramm Leach Bliley Act’s (GBLA) vague words that financial institutions had to “insure the security and confidentiality of customer information”.  Their final analysis can be found in this important source document “Guidelines Establishing Standards for Safeguarding Customer Information”.

The government didn’t want to force a specific standard or controls;  instead they came up with more general ideas on how to implement a security program. And here’s the essence of the plan, which should look familiar to many of us:

  1. Identify Information Assets – Identify the corporate information assets that need to be protected
  2. Conduct a Periodic Risk Assessments – Identify and assess internal and external risks to the security, confidentiality, and/or integrity of its information assets
  3. Implement Controls to Manage Risk – Select and implement appropriate physical, administrative, and technical security controls to minimize the risks identified in its risk assessment,
  4. Monitor the Program – Select and implement appropriate physical, administrative, and technical security controls to minimize the risks identified in its risk assessment
  5. Review and Adjust -Always look at new threats or analyze breaches, minimally on an annual basis.

In the aforementioned legal analysis, you can read more about how the GLBA guidelines influenced FTC regulators and then US states in interpreting “reasonable security.”

Reasonable Security: It’s a Process

In case it’s escaped your notice, the above “definition” of reasonable security is a not a thing, but a …  process. In other words, you’re always conducting reasonable security!

It’s helpful to compare the above GLBA list worked out in the dot com days to NIST’s more current Critical Infrastructure Security (CIS) Framework. Hint: it’s the same thing!

GLBA regulators back in the dot com days
NIST CIS Framework is a process. And it’s the same as the guidelines set down down by the GLBA regulators back in the dot com days.

Let’s keep in mind that NIST CIS is a framework. That means it’s also not tied to specific security controls. This goes back to the idea from the regulators to not force private industry to adopt one data standard over another.

The CIS Framework documentation  conveniently maps the process into several different standards, including NIST 800.53, SANS CSC , ISO 27001, and more. In fact, it was such a good idea that states are starting to consider NIST CIS as “black letter” law for their own data security laws.

And it is a good idea! In short: it allows IT groups to conform to the “reasonable security” definition by leveraging whatever existing standard they’re relying on. The NIST CIS framework will show them the controls in the standard they need to implement in order to have reasonable security. NIST CIS also makes it clear that you’re always in the process — you go back to the beginning and reassess your security profile based on whatever new information you’ve learned.

Varonis Is On It!

The CIS framework is a giant meta-standard and a good resource for those planning security solution. Varonis supports the NIST CIS framework. In fact, we’ve companies comply with many security laws and standards, including HIPAAPCI DSS and others.

We’ve gone a step further. We also have our own operational journey that’s based heavily on NIST’s process approach. It works in conjunction with our products, and it will set the stage for keeping you in compliance with state and federal data laws, as well as many security standards. You’ll be future-proofed no matter what comes your way!

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

data-security-compliance-and-datadvantage,-part-ii:- more-on-risk-assessment
Data Security Compliance and DatAdvantage, Part II:  More on Risk Assessment
I can’t really overstate the importance of risk assessments in data security standards. It’s really at the core of everything you subsequently do in a security program. In this post...
data-security-compliance-and-datadvantage,-part-i:- essential-reports-for-risk-assessment
Data Security Compliance and DatAdvantage, Part I:  Essential Reports for Risk Assessment
Over the last few years, I’ve written about many different data security standards, data laws, and regulations. So I feel comfortable in saying there are some similarities in the EU’s...
Another GDPR Gotcha: HR and Employee Data
Have I mentioned recently that if you’re following the usual data security standards (NIST, CIS Critical Security Controls, PCI DSS, ISO 27001) or common sense infosec principles (PbD), you shouldn’t...
The Definitive Guide to Cryptographic Hash Functions (Part 1)
Give me any message and I will create a secret code to obscure it. Try it! “This really opened my eyes to AD security in a way defensive work never...