How Companies Comply with Privacy Regulators for “Reasonable Security”?

Cyber reasonable security
Cyber reasonable security

This article will highlight how privacy regulations like CCPA and GDPR require companies to comply with reasonable security for the safeguard of their client’s information. Moreover, it will elaborate how enterprises should protect their data and ensure trustworthiness.

Reasonable privacy is now compulsory for private companies after California’s Consumer Privacy Act CCPA). If any company fails to comply with this regulation will face the legal cause of action in the court as “negligence.” This article will first elaborate on how regulators force companies to oblige with reasonable security and will also explain if protecting data is enough for the enterprise’s security.

Privacy regulations like CCPA and GDPR comply with private companies to provide reasonable privacy to their customers so that their personal information stays protected and secure.

To sue anyone for negligence, you have to prove the following four elements:

  1. The defendant had it as a duty to comply with the plaintiff.
  2. The defendant didn’t perform the said task and breached the duty.
  3. The breach of duty caused harm to the plaintiff.
  4. The harm to the applicant resulted in articulable damages.

When an individual trusts the company he works with and gives them the data then it is the company’s responsibility to protect and handle that data. The question is, how can one the security management or regulatory can ensure that the company is safeguarding the data from a legal perspective?

The table below is from the Federal Trade Commission v. Wyndham Worldwide Corporation which depicts some common examples of commercially reasonable security which were noted after the security breaches.

Note: Security breach at Card System Solution (CSS) happened back in 2005, while Wyndham breach occurred between 2008 and 2010.  

Reasonable Security Checklist

The following checklist states the aspects that are needed to be assured of getting reasonable security.

  • List of authorized and unauthorized software
  • List of authorized and unauthorized devices
  • Security settings on the laptops, mobile phones, servers, and workstations
  • Vulnerability assessment and its cure
  • Maintenance of audit logs.
  • Malware Defense
  • Data Recovery Capability
  • Security settings of the Firewalls, Switches, and Routers.
  • Incident Response and Management
  • Boundary Defense
  • Data Recovery Capability 

To understand how to protect your data, first, you need to assess the major risks and factors that can hinder your privacy. 

Performing Threat Assessment

A security professional should understand that there are a limited budget and resources that are available for this security program. Plus should also understand that threats and vulnerabilities have a direct impact on the reputation and finances of the company. A security professional should work hand in hand with the IT professional; it will give him an edge over the technical side of things. It is advised to understand what the company’s business model is before protecting it for good.

How Does a Regulatory Body Make a Difference?

There is a certain type of data that falls under the umbrella of different regulatory necessities. Regulating bodies make laws which are a must for companies to comply violating, and the company ends up getting a legal notice.

In countries with a Federal government system, corporations are asked to oblige regulations as per the regime. Such Governments ask companies for extensive security to control obligations and watch the controlled unclassified information.

Regulatory bodies play a vital role; some do good while others want to keep an eye on every netizen. When speaking to Sabih Ahmed, the founder of The Usables – a technology-focused website. He explained how privacy has evolved over the years and how threatening it has become in the last five years. 

Meeting the Regulator’s Requirements

To support the process of CCPA, you need to document and communicate the respective teams and have to ensure that you comply with all the regulations as set by the regulator. Make sure you also involve your legal team so that there is no loophole left to puncture your credibility.

Shifting Focus From Data For An Instance

All the processes as discussed up till now involve the protection of data, while it is important to safeguard internal data, but it is equally important to understand that the attackers may act smart and may penetrate through your network. APT (Advanced Persistent Threats are used by fraudsters to bypass the security blockade. They exploit weak passwords, find unpatched servers and access non-protected Amazon S3 buckets. To help counter such attacks, you should have an organizational framework just like Software Development Lifecycle (SDLC).

An SDLC will plan, Analyze, Design and Implement protection for your network. This system engineering process will give your enterprise more than a data-centric approach.

Driving through Trustworthiness from Security

 It is inevitable to ensure trustworthiness among your employees, and to achieve it there is a criterion as outlined by Robert Martin in a report.

  • Reliability of the components of the system.
  • The authenticity and integrity of the system.
  • Confidentiality of the used data by components of the system. 
  • Maintenance of components and system.
  • The resilience of the components and the system to discourage misuse.
  • Safety of the system and its components. 
  • Usability of the system and its components.

Trustworthiness is a key factor implying on the above mentioned bullets. Each service or a product can be broken down into smaller components to be evaluated for individual trustworthiness. These scores can be then accumulated to give an aggregate score of the entire system.

Enterprises should take notes here, as reasonable data security works to ensure trustworthiness but there are other factors to consider like assuring the reliability, security, safety and resilience of the product or service they offer.


Security for enterprise is a holistic approach which is a dire need of time and organizations should put them into consideration. Look at your company as a prudent entity whose assets are at risk and to protect them you have to take crucial steps and don’t forget a breach can happen anytime which will highlight you in the lists of regulators by not complying to their rules.

Disclaimer: This article does not provide legal assistance or advice. It is an academic write-up which hopes to spur discussion on faulty practices to ensure a secure feature ahead of us. Enterprises must implement reasonable security measures which include security practitioners and understand the behavior from a legal point of view.


For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.

Subscribe to HackersOnlineClub via Email

Enter your Email address to receive notifications of Latest Posts by Email | Join over Million Followers

Leave a Reply
Related Posts