Reasonable Security

Reasonable Security as a Retrospective, Moving Standard

“Reasonable security” is a phrase that appears repeatedly in statutes, regulatory guidance, enforcement actions, and judicial opinions. Its imprecision is intentional. Rather than prescribing a fixed set of controls, the standard is designed to be applied contextually, with judgment exercised after an incident has occurred. For regulated professionals, this has a practical implication that is often underappreciated: security decisions are rarely evaluated when they are made, but when they are later reconstructed.

Reasonableness is not assessed in the abstract. It is evaluated against the sensitivity of the information handled, the professional obligations attached to that information, and the risks that were well understood at the time. Small size or limited resources may inform expectations, but they do not excuse disregard for commonplace threats or widely available safeguards. Where client data is confidential by statute, ethics rule, or professional norm, the baseline for what is considered reasonable rises accordingly.

A persistent misconception is that reasonableness can be established through nominal compliance or tool adoption. Checklists, certifications, or reliance on third-party platforms are often treated as substitutes for judgment. In practice, post-incident analysis focuses less on labels and more on whether decisions reflected awareness of foreseeable risk. Cloud services, managed software, and external vendors may reduce certain burdens, but they do not transfer accountability for access control, configuration, or use. Where responsibility is diffuse, regulators tend to locate it with the professional closest to the client relationship.

Inquiries into reasonableness typically examine a narrow set of questions. Were risks identified, even informally? Were commonly accepted safeguards implemented or consciously declined? Were systems maintained in a supported and patched state? Was access limited to legitimate need? Was staff behavior guided rather than assumed? These questions are not exhaustive, but they recur because they speak directly to whether harm was preventable through ordinary care.

Documentation plays a disproportionate role in this analysis. In the absence of contemporaneous records, assertions about intent or awareness are difficult to credit. Conversely, even modest documentation, notes of risk considerations, records of access decisions, evidence of updates or training, can materially affect how conduct is characterized. Silence in the record is often interpreted as absence of deliberation.

A reasonable security posture does not require comprehensive programs or specialized infrastructure. It does require that decisions be made deliberately, in light of known risks, and revisited as systems and practices change. Professionals who can articulate why their safeguards were appropriate at the time they were implemented are generally better positioned than those who rely on generalized assurances that nothing had gone wrong before.

Some practices manage this evaluative process internally and informally, particularly where systems are stable and limited in scope. As reliance on digital tools expands, however, informal reasoning becomes harder to sustain under scrutiny. At that point, the question is not whether security was perfect, but whether it was plausibly reasonable when it mattered—after the fact, and under examination.