Your business suffers a data breach. Client records are exposed. Now a lawyer representing one of those clients asks a single question: “What security measures did you have in place?” What would your answer be, and could you prove it?
That question is no longer theoretical. Businesses of all sizes are facing it from insurers, regulators, and, increasingly, the courts. The standard they apply is not whether your security was perfect, but whether it was reasonable and can demonstrate that it was.
What “reasonable security” actually means
Reasonable security is not a fixed checklist; it is a judgment call based on what a business of your size, in your industry, with access to your resources, could and should have done. Factors that get weighed include whether you had antivirus software and a firewall in place, whether staff received any security training, whether software was kept up to date, whether sensitive data was protected with encryption or access controls, and whether you had a documented process for responding to incidents.
The uncomfortable reality is that many small businesses have some of these in place, but cannot document any of them. Verbal assurances do not hold up in a dispute. “We always kept things updated” is not evidence.
The documentation problem
When an insurer reviews a breach claim, or when a court assesses liability, the question is not just what you had in place but also what you can prove you had in place. Organizations that work with a managed service provider have a significant advantage here, because a well-run MSP not only implements security measures but also generates a paper trail.
Patch management records show when updates were applied and to which systems. Monitoring logs show that threats were being actively detected. Policy documents show that staff were given clear guidance. Backup records show that recovery procedures existed and were tested. Each of these serves as evidence that security was treated as an ongoing responsibility rather than an afterthought.
Where businesses get caught out
The most common scenario is not one where a business had no security, but one where a business had some security and thought it was sufficient but had no formal oversight and no records to show for it: consumer-grade tools installed years ago but never reviewed; software updates applied inconsistently; no written policy, training logs, or incident response plan.
In a dispute, that picture is difficult to defend. The absence of documentation is read as an absence of diligence, and diligence is exactly what the reasonable security standard requires.
A second scenario involves relying on a single person, whether an internal staff member or a sole contractor, who understood the setup but kept no formal records. If that person leaves or is simply unavailable when a dispute arises, there is nothing to refer to. The security may well have been sound, whereas the business has no way to demonstrate it.
What a managed service provider brings to this
Working with an MSP means that security is not just implemented; it is managed, monitored, and recorded. The relationship comes with regular reviews, written documentation, and a clear record of what was in place and when. If a breach does occur, that documentation becomes part of how you respond to it, not something you scramble to produce after the fact.
It also means the security itself is more likely to meet the reasonable standard, because it is built around current best practice rather than a setup that has not been reviewed in three years.
This is worth thinking about before something goes wrong
Most businesses think about liability only after an incident. The time to put the documentation and oversight in place is well before anyone is asking for it. If you would like to understand where your current security posture stands and what a formal managed services relationship would look like for your business, get in touch.