Cyber Security Breach Response Services
HALOCK works with clients and counsel to support organizations that have been breached.
Even small data breaches can have significant consequences. The most obvious are IT security concerns around network compromise and data exfiltration, but any breach of cyber security also comes with potential legal liability. We understand the risks that these breaches represent and work with you to help you navigate them for the benefit of your clients. To ensure compliance with industry, state and federal reporting and disclosure obligations, corporate legal teams are often best served by partnering with third-party cyber security breach response providers like HALOCK. We can help determine how breaches occurred, identify what data has been compromised and formulate a cyber breach response plan that satisfies legal obligations and helps ease your clients’ concerns.
HALOCK can help.
Examples of Cyber Security Breaches — and Their Legal Impact
Depending on the type of breach experienced, legal obligations may differ. For example, if networks are infiltrated but data is not viewed or exfiltrated, reporting requirements may be limited to regulatory bodies. If customer data is compromised, meanwhile, obligations expand exponentially.
Common types of cyber security breaches that can create legal issues include:
- Data theft or loss: This includes data stolen by malicious external actors and information accidentally lost or deliberately taken by employees.
- Insecure storage or transmission: Data compromised because of insecure storage architecture or transmission methods (such as unencrypted emails) can put companies at risk of legal challenge.
- Missed patches or security updates: If needed patches or security updates aren’t applied and breaches occur, businesses may be held responsible for failing to take reasonable defensive precautions.
Failing to effectively and immediately address these issues could lead to legal repercussions — including fines and penalties; reputation loss; and class-action lawsuits or settlements, not to mention the costs associated with settling these legal challenges in court. We can help you determine what response is appropriate to better enable you to provide your clients with the legal advice and guidance they need.
Delivering on Duty of Care and Reasonable Security
While every organization encounters unique cyber security challenges, they share a common obligation: Deploying reasonable and necessary defensive solutions. Yet, what exactly is “reasonable”?
HALOCK’s security experts help companies effectively apply the DoCRA (Duty of Care Risk Analysis) standard to current defenses and across potential risks. This standard is used by legal authorities and industry regulators to determine if security precautions taken were reasonable and necessary given the type, location and common use of stored or collected data. If HALOCK teams identify potential shortfalls in current security frameworks, they work with local IT and legal teams to create a reasonable cyber breach response strategy that helps reduce total risk.
Example Engagement: Legal Response for a Debt Collection Service
A debt collection service reported a potential theft of debtor data by a disgruntled employee. Suspicion of theft arose from colleagues who saw the employee print a massive report just prior to quitting without notice. The debt collection service was subject to multiple regulations and wanted to be sure a criminal forensics investigation stayed within bounds of its cause to prevent regulatory complications.
HALOCK worked with counsel to carefully guide the responding detective to the few files and resources on the employee’s laptop that would have indicated whether there was reasonable suspicion of a breach. This enabled the detective to determine that there was no probable cause to take further action while preventing extraneous exploration, avoiding un-necessary breach disclosure, and providing sufficient evidence of due diligence after the suspicious activity.
Frequently Asked Questions (FAQ) on Reasonable Security
Why is “Reasonable” Security Important?
“Reasonable security” language is found in most state and federal privacy laws, and regulators have ruled that you must show you took “reasonable” steps to protect sensitive information.
Reasonable security does not mean perfect security, but rather security that makes sense based on your risks and resources.
Organizations with reasonable security:
- Have a better chance of avoiding regulatory action after a breach
- Are better positioned during litigation and investigations
- Have more support from cyber insurance carriers and adjusters
- Instill more confidence with clients, partners, and stakeholders
What Laws and Regulations Reference “Reasonable Security”?
In the United States, a variety of state and federal laws and regulations require organizations to have “reasonable security practices and procedures.” These include, but are not limited to:
“(3) Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’ obligations under this title.”
“(5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.”
“(e) A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.”
“(b) A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
(c) A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
“requiring that companies develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information”
(a) A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.
(b) A contract for the disclosure of personal information concerning an Illinois resident that is maintained by a data collector must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.
“(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;”
Controllers must “Use reasonable safeguards to secure personal data.”
“the Gramm-Leach-Bliley Act, sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.”
“What does a reasonable information security program look like?”
“every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);”
How Do You Demonstrate Reasonable Security?
The most effective way is through a documented, risk-based assessment process that allows you to show how your organization identifies, prioritizes, and mitigates risks.
A legally defensible risk assessment provides a fact-based argument that your actions were prudent, informed, and proportionate.
Key elements include:
- Risk identification: What data, systems, and processes are impacted?
- Threat and vulnerability analysis: What risks are credible and foreseeable?
- Impact assessment: What could cause harm to customers, partners, or operations?
- Control evaluation: What safeguards are reasonable under current conditions?
- Documentation: Written records of your findings, decisions, and mitigations.
Security and legal frameworks such as NIST SP 800-30, ISO 27005, CIS Controls, and DoCRA (Duty of Care Risk Analysis) can help define and prove what “reasonable” looks like in practice.
Is Reasonable Security the Same as Compliance?
No. Compliance meets minimum standards, but reasonable security shows you went above and beyond with due care.
What Is the Duty of Care Risk Analysis (DoCRA)?
The Duty of Care Risk Analysis (DoCRA) standard is an approach to establish and document reasonable security for an organization. It states that reasonable security is:
“Security that balances the interests of the organization with the interests of others who may be harmed if security fails.”
DoCRA helps organizations to review and justify risk decisions, not only from a compliance point of view but also with respect to fairness, proportionality, and legal defensibility. In essence, it considers an organization’s mission, objectives, and obligations. It effectively bridges security, business, and legal aspects in one defensible framework.
How Does HALOCK Help Organizations Demonstrate Reasonable Security?
HALOCK offers cybersecurity assessments that are risk-based, legally defensible, and aligned with the Duty of Care Risk Analysis (DoCRA) standard.
HALOCK assessment helps you to:
- Identify, quantify, and prioritize cyber risks
- Select and balance controls with business impact
- Document a reasonable security posture for regulators, courts, and clients
- Establish an accountability and continuous improvement process
Learn how Duty of Care Risk Analysis (DoCRA) can help you achieve reasonable security:
What is Duty of Care Risk Analysis (DoCRA) for Cybersecurity?
What is Duty of Care Risk Analysis (DoCRA) for General Counsel?
What is Duty of Care Risk Analysis (DoCRA) for Regulators?
What is Duty of Care Risk Analysis (DoCRA) for Auditors?
What is Duty of Care Risk Analysis (DoCRA) for Executives?
What is Duty of Care Risk Analysis (DoCRA) for Risk Managers?
Partner with HALOCK for reasonable safeguards.
