The general obligation to provide security for data is often simply stated in the law as an obligation to provide “reasonable” or “appropriate” security designed to achieve certain objectives. In some cases, statutes and regulations define those objectives in terms of positive results to be achieved, such as ensuring the availability of systems and information, controlling access to systems and information, and ensuring the confidentiality, integrity, and authenticity of information.^[1] In other cases, they define those objectives in terms of the harms to be avoided – e.g. to protect systems and information against unauthorized access, use, disclosure or transfer, modification or alteration, processing, ...