Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

What the H**L Does Reasonable Data Security Really Mean?

For anyone who’s spent time looking at data security laws and regulations, you can’t help but come across the words “reasonable security”, or its close cousin “appropriate security”.  You can...
Michael Buckbee
3 min read
Published March 29, 2020
Last updated June 16, 2023

For anyone who’s spent time looking at data security laws and regulations, you can’t help but come across the words “reasonable security”, or its close cousin “appropriate security”.  You can find this legal verbiage in state breach notification laws, in HIPAA’s Security Rule (“reasonable and appropriate” security), in FERPA, and many other federal data security laws and guidances. So what does it mean?

Therein lies a story. Not being too specific about security controls in these laws turns out to have been a good thing. It indirectly forced security industry to look at larger and more general issues involving data security.

Get the Free Pentesting Active
Directory Environments e-book

found in many state data security and breach notification laws
The requirement for “reasonable security” is found in many state data security and breach notification laws.

I’m getting a little ahead of myself.  Fortunately, I’m standing on the shoulders of legal giants. As I discovered, the meaning of reasonable security came about when the US federal government tried to come up with an initial definition of appropriate security safeguards. If you want to learn more and get the full story, legal eagles should review this illuminating white paper.

Secret Origins of Reasonable Security Revealed!

Back in the early days of the Internet (circa 2001), regulators were trying to  interpret the Gramm Leach Bliley Act’s (GBLA) vague words that financial institutions had to “insure the security and confidentiality of customer information”.  Their final analysis can be found in this important source document “Guidelines Establishing Standards for Safeguarding Customer Information”.

The government didn’t want to force a specific standard or controls;  instead they came up with more general ideas on how to implement a security program. And here’s the essence of the plan, which should look familiar to many of us:

  1. Identify Information Assets – Identify the corporate information assets that need to be protected
  2. Conduct a Periodic Risk Assessments – Identify and assess internal and external risks to the security, confidentiality, and/or integrity of its information assets
  3. Implement Controls to Manage Risk – Select and implement appropriate physical, administrative, and technical security controls to minimize the risks identified in its risk assessment,
  4. Monitor the Program – Select and implement appropriate physical, administrative, and technical security controls to minimize the risks identified in its risk assessment
  5. Review and Adjust -Always look at new threats or analyze breaches, minimally on an annual basis.

In the aforementioned legal analysis, you can read more about how the GLBA guidelines influenced FTC regulators and then US states in interpreting “reasonable security.”

Reasonable Security: It’s a Process

In case it’s escaped your notice, the above “definition” of reasonable security is a not a thing, but a …  process. In other words, you’re always conducting reasonable security!

It’s helpful to compare the above GLBA list worked out in the dot com days to NIST’s more current Critical Infrastructure Security (CIS) Framework. Hint: it’s the same thing!

GLBA regulators back in the dot com days
NIST CIS Framework is a process. And it’s the same as the guidelines set down down by the GLBA regulators back in the dot com days.

Let’s keep in mind that NIST CIS is a framework. That means it’s also not tied to specific security controls. This goes back to the idea from the regulators to not force private industry to adopt one data standard over another.

The CIS Framework documentation  conveniently maps the process into several different standards, including NIST 800.53, SANS CSC , ISO 27001, and more. In fact, it was such a good idea that states are starting to consider NIST CIS as “black letter” law for their own data security laws.

And it is a good idea! In short: it allows IT groups to conform to the “reasonable security” definition by leveraging whatever existing standard they’re relying on. The NIST CIS framework will show them the controls in the standard they need to implement in order to have reasonable security. NIST CIS also makes it clear that you’re always in the process — you go back to the beginning and reassess your security profile based on whatever new information you’ve learned.

Varonis Is On It!

The CIS framework is a giant meta-standard and a good resource for those planning security solution. Varonis supports the NIST CIS framework. In fact, we’ve companies comply with many security laws and standards, including HIPAAPCI DSS and others.

We’ve gone a step further. We also have our own operational journey that’s based heavily on NIST’s process approach. It works in conjunction with our products, and it will set the stage for keeping you in compliance with state and federal data laws, as well as many security standards. You’ll be future-proofed no matter what comes your way!

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

canada’s-pipeda-breach-notification-regulations-are-finalized!
Canada’s PIPEDA Breach Notification Regulations Are Finalized!
While the US — post-Target, post-Sony, post-OPM, post-Equifax — still doesn’t have a national data security law, things are different north of the border. Canada, like the rest of the...
securityrwd---introduction-to-aws-elastic-compute-cloud-(ec2)
SecurityRWD - Introduction to AWS Elastic Compute Cloud (EC2)
Concerning headlines about threat groups targeting major security and technology vendors are keeping more than a few security and IT professionals up at night. Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team discuss why advanced attackers target technology like SSO and why organizations must "assume" breach. Watch now for helpful tips to harden your environment and protect your data.
data-security-compliance-and-datadvantage,-part-ii:- more-on-risk-assessment
Data Security Compliance and DatAdvantage, Part II:  More on Risk Assessment
I can’t really overstate the importance of risk assessments in data security standards. It’s really at the core of everything you subsequently do in a security program. In this post...
we-need-to-talk-about-gramm-leach-bliley-(glb):-the-safeguards-rule-will-be-changing!
We Need to Talk About Gramm-Leach-Bliley (GLB): The Safeguards Rule Will Be Changing!
As a blogger following data security laws and regulations, I’m occasionally rewarded with an “I told you this law would be important” moment.  Earlier this month with the news that...