The Federal Trade Commission is no longer the only sheriff in town when it comes to cybersecurity and data privacy regulations. More and more states—and countries—are getting involved in efforts to safeguard personal information. This includes customers and vendors who often require reasonable cybersecurity in contracts. But what does "reasonable cybersecurity" mean and how can we start to answer a question that always "depends"?