As new data privacy laws take shape, the standard of “reasonable” data security measures continues to be a common thread. But for business leaders and in-house counsel, there is some fuzziness around the term.

What does “reasonable” actually mean?

In an insightful article in Reuters, information security expert Melodi Gates JD, CIPP/US, explains:

To successfully manage cyber risks, it’s important for counsel to understand cyber vulnerabilities. Unlike threats, businesses can generally remediate or at least mitigate their cyber vulnerabilities, which typically include design, implementation, or other oversights that create defects in commercial IT products or internally developed software, often requiring a patch or other update to remediate; and poor setup, mismanagement, or other issues in the way a business installs and maintains its IT hardware and software components.

Other common vulnerabilities that companies must also tackle include:

  • gaps in the business processes;
  • administrative or organizational weaknesses, such as a lack of user training and awareness or failure to appropriately prioritize and fund security programs;
  • poorly designed access controls or other safeguards; and
  • physical and environmental issues.

Strategies to manage cyber-risks and support reasonableness

In-house counsel can help their businesses routinely manage cyber risks and avoid attacks, or at least minimize their impact, by developing and maintaining reasonable risk-based information security programs.