A growing number of state and federal laws require organizations to implement reasonable security safeguards to protect personal information. But what constitutes reasonable data security? This question has vexed organizations and spurred a considerable amount of litigation. On February 16, 2016, the California Attorney General’s Office released its 2016 Data Breach Report, which for the first time provides a listing of safeguards that the Attorney General views as constituting reasonable information security practices. Despite being focused on California, the Report’s recommendations are likely to have an impact far beyond the borders of the Golden State.