The words “Reasonable Security” often come up in executive meetings to help understand “what do we need to do?” As a security professional, our goal is to make things as secure based on a risk-based approach but risk can be defined differently based on where one is.
In 2019, a big scramble was made by organizations that were to eventually fall under the requirements of the California Consumer Privacy Act to understand the requirements of what “needed” to be done versus what “should” be done.
One of the most common parts of the law that had heads being scratched all over the United States is “what is reasonable security?” due to one clause within CCPA. The clause is as follows:
1798.150. (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action […]. (SB-1121 California Consumer Privacy Act of 2018)
Based on where one is located, reasonable security could be very different. For example, the privacy and security demanded by the citizens of Texas is very different then the privacy and security demanded by the citizens of California.
We have two valuable excerpts from documents that will help one understand what is “reasonable security” from a federal perspective as well as from a California perspective.
From a federal perspective, information security is governed by the Federal Trade Commission (FTC). The FTC published a documented called “Start with Security” that has been built off of case law from security breaches.
You may find this document linked here: Start with Security: A Guide for Business
After meeting with the Attorney General’s Office in California, the state has a different definition of reasonable security. They have defined this in the California Data Breach Report of 2016 on page 30.
You may find this document linked here: California Data Breach Report: February 2026
To help your business build a reasonable security program, reach out to sales@gilliamsecurity.com. We have the frameworks in place to help your organization build such a program to help you comply both federally and with the states.