What 'Reasonable Security' Means for Tech Companies in 2026

In March 2026, US Mortgage Corporation faced a class-action lawsuit in federal court. The complaint wasn't primarily about the breach itself. It was about what the company failed to do before the breach: no multi-factor authentication, no data encryption, no cleanup of data that no longer needed to be retained. The plaintiff's theory was straightforward. A breach you could have prevented with standard controls isn't just a security failure, it's negligence.

It's the same logic behind 23andMe's $50 million settlement, where missing MFA was cited as a core failure that enabled a credential-stuffing attack across millions of accounts. It's appearing in fintech breach litigation, healthcare security suits, and securities-related filings.

For technology and professional services companies, this matters beyond the security budget. It has direct implications for how Cyber Insurance responds after a breach, and whether a D&O claim targeting leadership gains traction. Understanding where the bar now sits helps companies make better decisions before an incident rather than explaining their security posture after one.

Missing MFA Is Now a Legal Argument, Not Just a Security Gap

The concept of "reasonable security" has existed in data protection law for years, but its meaning has been vague. Courts evaluate negligence claims by asking whether a company met the standard of care that others in similar circumstances would reasonably have adopted. For a long time, it was unclear which security controls that standard actually required.

Plaintiffs' attorneys are now pointing to widely adopted frameworks, including SOC 2, NIST CSF, ISO 27001, and HIPAA, as evidence of what reasonable security looks like in a given industry. These frameworks consistently name MFA and encryption as foundational controls. When a breach occurs and those controls weren't in place, the argument writes itself: the industry agreed on the standard, and your company didn't meet it.

The judicial response has been receptive. Courts are increasingly accepting "risk of future harm" as sufficient standing for breach victims to sue, which lowers the bar for data breach class actions to survive early dismissal. And settlements like 23andMe's signal that the negligence theory is credible enough to drive significant payouts.

States are responding to this trend. Florida, Tennessee, and Texas have each enacted safe harbor laws protecting companies from class action liability during cybersecurity incidents, but only if those companies implemented MFA and aligned with a recognized security framework. The laws are designed to protect companies that do the work, and act as a dividing line between companies that did enough and companies that didn't.

What a Missing Control Means for Your Cyber Insurance

Most business leaders assume that if a breach happens, Cyber Insurance pays for the response. But it’s more conditional than that.

Cyber policies have evolved significantly over the past several years. Insurers now routinely ask about security controls during underwriting: whether MFA is enabled on email, remote access, and privileged accounts; whether systems are encrypted; whether an incident response plan exists. These aren't just questions used to set your premium. In many policies, they're coverage conditions.

If a breach occurs and an insurer discovers that controls you represented as in place weren't actually implemented, coverage may be voided or reduced. That investigation can happen when response costs are accumulating and legal exposure is growing.

According to the 2025 Verizon Data Breach Investigations Report, stolen credentials were the initial access vector in 22% of the breaches reviewed. Credential-based attacks, which include both credential stuffing and phishing-enabled account takeovers, are the scenario MFA is specifically designed to interrupt. An insurer reviewing a claim from a credential-stuffing breach in an account that lacked MFA will ask the same question a plaintiff's attorney would.

The IBM 2025 Cost of a Data Breach Report put the average global breach cost at $4.44 million, with technology companies averaging $4.79 million. Those figures assume coverage responds fully; a policy that limits payout because controls weren't in place changes the math considerably.

Why D&O Exposure Follows a Missing Security Control

There's a second liability path that doesn't get enough attention, especially for founders and executives at growth-stage companies. It runs through Directors & Officers Insurance rather than Cyber Insurance, and it's triggered not by the breach itself but by what happens after the breach becomes a governance story.

The Securities and Exchange Commission's cybersecurity disclosure rules, which took effect in December 2023, require public companies to disclose material cybersecurity incidents and to describe their board-level oversight of security risk. Private companies aren't subject to the same SEC disclosure requirements, but the underlying governance question is the same: did leadership exercise reasonable oversight of the company's security posture?

If a breach reveals that basic controls weren't implemented, shareholders and investors have grounds to ask who was responsible for that decision. Derivative suits, in which shareholders sue directors on behalf of the company for failing their fiduciary duty, are a direct downstream risk of a governance-level security failure. Securities class actions, where investors claim a breach caused them financial harm, are another.

Directors & Officers Insurance is designed to cover executives in litigation triggered by decisions made at the leadership level. The coverage responds to legal defense costs, settlements, and judgments when directors and officers are personally named in suits connected to their roles.

Most companies buying Cyber Insurance are thinking about breach response factors like forensics, notification, credit monitoring, and legal defense tied to the incident. Fewer are thinking about the follow-on risk that targets leadership directly. Depending on what discovery surfaces in a breach lawsuit, executive decisions about the security budget and governance program can become part of the record.

What Reasonable Security Requires in 2026

The controls that satisfy courts, regulators, and insurers are the same checklist that appears in every major security framework, and they've been available for years. The gap for most companies isn't awareness. It's implementation and documentation.

Here's what "reasonable security" consistently maps to across frameworks that courts have referenced:

• Multi-factor authentication on all remote access, email, administrative accounts, and any system handling sensitive data. MFA is the single control that appears most frequently in both breach litigation and insurance underwriting requirements.
• Encryption at rest and in transit for sensitive data, including customer information, financial records, and employee data. The US Mortgage complaint specifically cited unencrypted data as evidence of negligence alongside the missing MFA claim.
• Access controls and least-privilege principles to limit which employees and systems can reach sensitive data. Unauthorized access becomes significantly harder when access was restricted to begin with.
• Incident response planning that is documented, tested, and actionable. A written plan signals that leadership considered breach scenarios before one occurred, which matters in both insurance underwriting and litigation.
• Regular risk assessments to identify gaps before they become incidents. A proposed update to the HIPAA Security Rule would codify annual risk assessments as a mandatory requirement for covered entities. Even outside a finalized HIPAA update, annual reviews have become a consistent marker of reasonable security governance across industries and frameworks.
• Data minimization practices that ensure sensitive information isn't retained longer than needed. The US Mortgage complaint cited failure to delete data that no longer needed to be stored as a separate count of negligence.

Documentation matters as much as implementation. A company that has all of these controls in place but can't demonstrate their existence to an insurer or in discovery is in a weaker position than it should be. The goal isn't just to have reasonable security, it's to be able to show that you had it.

The legal system and the insurance market are converging on the same set of expectations. Companies that treat these controls as the floor protect their coverage quality, reduce their exposure to breach litigation, and give their leadership team a defensible record if governance questions arise after an incident.

If you're not sure whether your current security posture aligns with what your Cyber Insurance requires, or whether your Directors & Officers Insurance reflects the executive exposure that follows a breach, a Vouch advisor can walk through both. Coverage works best when it's matched to your actual risk profile, not a generic one.

Vouch Specialty Insurance Services, LLC (CA License #6004944) is a licensed insurance producer in states where it conducts business. A complete list of state licenses is available at vouch.us/legal/licenses. Insurance products are underwritten by various insurance carriers, not by Vouch. This material is for informational purposes only and does not create a binding contract or alter policy terms. Coverage availability, terms, and conditions vary by state and are subject to underwriting review and approval.