Businesses have developed very thorough contractual language to protect their highly confidential information. If any personal information is at risk, even if it is very basic information involving, say customer names, the entirety of the extensive information security language is required. There is no scaling of the language depending on the actual risk presented. My suggestion is that businesses consider a scaled approach to information security, while, of course, still complying with all legal and regulatory requirements for the relevant data. I suggest scaling the protections required to actually reflect the risk may be a more appropriate approach.”]
Source: https://www.csoonline.com/article/2136688/overreacting-to-information-security.html