Sedona Reasonable Security Test

In September 2020, the Sedona Conference released the public comment version of its Commentary on a Reasonable Security Test. A test is proposed that is similar to one used in the Hand formula to determine if a duty of care was owed in a negligence case.

B₂ - B₁ < (P x H)₁ - (P x H)₂

B represents the burden. P the probability of harm. H the magnitude of harm. The subscript 1 represents the security controls in place before a reasonable standard was implemented, and the subscript 2 is the supplement to security that can be added.

Drawing analogy to the foreseeability test in negligence, the guide asserts that someone responsible for information security should not be expected to address unknown risks.

The guide includes an outline for assessing risk when:

1. a small company is responsible for consumer data for millions of customers.

2. a medium sized company in the healthcare industry stores medical test results that are several years old.

3. a hospital with more than a billion dollars in annual revenue is responsible for protected health information (PHI).