Managing HIPAA Risk With Duty Of Care Risk Analysis (DoCRA)
August 19, 2022
ABOUT INSIDER: A brief Q&A synopsis from Health Care Law Today podcast featuring Foley Partner Jen Rathburn interviewing Terry Kurzynski, founder of HALOCK Security Labs. Jen has been practicing for almost 20 years in data privacy and security. Terry has over 25 years of experience in the cybersecurity arena and also serves as a board member on the DoCRA Council. The full podcast can be found here.
Understanding Risk’s Role in Reasonable Security
August 19, 2022
As regulations and privacy laws require ‘reasonable security’, we are seeing more organizations focusing on their duty of care to all interested parties. There are more references to ‘reasonableness’ in breach litigation, and inquiries in how company security programs are implementing reasonable controls.
Professionals seek answers for their specific working environment. Each organization also follows various standards, which can be a challenge. One approach that integrates this process is the Duty of Care Risk Analysis (DoCRA). It provides guidance on how to establish reasonable security.
Read full article at Techbullion.
The Center for Internet Security, Inc. (CIS®): Conceptualizing Reasonableness for Risk Analysis
April 29, 2022
The Center for Internet Security, Inc. (CIS®): In episode 29 of Cybersecurity Where You Are, co-hosts Tony Sager and Sean Atkinson are joined by Chris Cronin, ISO 27001 Auditor and Partner at HALOCK, a leading information security consultancy. Their discussion focuses on “reasonableness” as it relates to cybersecurity risk management. This topic isn’t just about proving to regulators, litigators, and others that security controls were in place prior to an incident. It also considers how to implement safeguards without overburdening users and executives.
CIS RAM v2.1 for Implementation Group 2 (IG2)
January 20, 2022
CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK has used CIS RAM’s methods for several years with positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018, and now v2.1 in 2021 – 2022. CIS is a founding member of the nonprofit DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon.
5 Cybersecurity Predictions For 2022
January 11, 2022
Increasing need for risk management ‘… taking sufficient measures to secure the sensitive personal data of other people as state regulators are now starting to use a clear definition for reasonable, risk-based security in their injunctions. In terms of litigation, a demonstrated due of care shows the absence of negligence which is a determining factor in lawsuits. A growing number of security frameworks are now available that can help organizations define what “reasonable security” actually.”
Standards for Safeguarding Customer Information
December 9, 2021
“a) That risk assessments should evaluate the likelihood of magnitudes of harm that result from threats and errors, b) That risk assessments should explicitly estimate foreseeable harm to consumers as well as to the covered financial institutions, c) That risk mitigating controls are commensurate with the risks they address, [and] d) That risk assessments estimate likelihoods and impacts using available data.”
CIS Risk Assessment Method (RAM) v2.0 for CIS Controls v8 Released
October 29, 2021
The Center for Internet Security (CIS) recently released the CIS Risk Assessment Method (RAM) v2.0, an information security risk assessment method to help enterprises justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK has used CIS RAM’s methods for several years with positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018, and now v2.0 in 2021. CIS is a founding member of the non-profit DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon.
How Will New Data Privacy Laws Affect Convenience Stores?
July 28, 2021
What Makes for Reasonable Measures and do they Defend Against Cyber Security Lawsuits?
May 21, 2021
At RSA Conference 2021, panelists debate the meaning of a very important word that may very well have an impact in data breach litigation
SPOT THE DIFFERENCE: Tony Kingham explains how x-ray technology can help with both security and duty of care
April 8, 2021
The Duty of Care Risk Analysis Standard (DoCRA) provides principles and practices for evaluating risk. It considers all parties that could be affected by those risks. DoCRA evaluates safeguards if they are appropriate in protecting others from harm while presenting a reasonable burden by defining what is reasonable risk. It helps establish reasonable security based on an organisation’s specific mission, objective, and obligations. Quite apart from the legal and moral imperative, there is a good business case for reasonable security measures.
Sedona Conference Just Leveled the Playing Field with Reasonable Security
March 4, 2021
The Sedona Conference Working Group 11 (WG11) has provided the definition for reasonable security. In February 2021, The Sedona Conference released its Commentary on a Reasonable Security Test to help the regulatory and litigation communities “move the law forward in a reasoned and just way.” We now have a test for reasonable security practices that brings together the traditions of regulators, litigators, and information security communities to balance burdens of safeguards against the risk of harm to ourselves and others.
CIS Risk Management Method (CIS RAM) overview
February 4, 2021
CIS RAM is an interesting method at many levels. It conforms and supplements standards like ISO 27005, NIST Special Publications 800–30, or RISK IT. It also bridges two different risk analysis methods: the well known method found is U.S. regulations and InfoSec standards: Risk = impact + likelyhood, and the less known “Calculus of Negligence” or “Learned Hand Rule” and as such incorporates principles and practices from Duty of Care Risk Analysis.
5 Cybersecurity Predictions for 2021
December 16, 2020
Finding a Test for Reasonable Security Practices: Embrace Complexity and Specifics
September 29, 2020
A working group of the Sedona Conference has proposed a solid answer to these questions. By its own description, the Sedona Conference is a nonpartisan, nonprofit research and educational institute dedicated to the advanced study of specific law and policy, including privacy and data security law. The Conference has just published a set of commentary on a reasonable security test. The paper is worth reading.
Defining Reasonable Security in a World of Rapid Change
September 22, 2020
The NetDiligence Virtual Summer Summit panel “What is Reasonable Cybersecurity?” proves, defining “reasonable” is not an easy task.
Moderator Andy Maher (AXIS) led panelists Chris Cronin (HALOCK), Doug Meal (Orrick LLP), and Tim Murphy (Office of the Attorney General for Pennsylvania) in a spirited discussion which gave hints of how this issue could become combative in a high stakes legal setting. But as Cronin pointed out, the very fact that definitions are evolving in contentious settings belies the fact that litigators, regulators, and insurers do have common understanding of how risk is assessed. And so, the tasks of defining terms, weighing their utility, and applying them though a risk-based analysis process should fall on experts such as the assembled panel.
Spirion, a data protection and compliance company based in St. Petersburg, Fla., launched its Global Alliance Partner Program
September 22, 2020
Spirion, a data protection and compliance company based in St. Petersburg, Fla., launched its Global Alliance Partner Program, for data security which spans software developers, technology providers, systems integrators and solution providers. Partners will “extend the functionality” of Spirion’s Data Privacy Management Framework, according to the company. Solution provider members of the program include GuidePoint Security and HALOCK Security Labs, while technology partners include ContextSpace, Seclore and Tonic.
Spirion Unveils Global Alliance Partner Program
September 21, 2020
Establishes technology and solution provider partner ecosystem committed to strengthening personal data protection through best-in-class solutions. “Our collaboration with Spirion is one of HALOCK’s most strategic partnerships designed to address some of the most complex challenges related to data protection in large enterprise environments,” said Terry Kurzynski, HALOCK Security Labs Founding Partner. “Our alliance with Spirion extends our reach into understanding, controlling, and protecting what’s most important to our clients, their sensitive data.”
September 18, 2020
Spirion, a data protection and compliance company based in St. Petersburg, Fla., launched its Global Alliance Partner Program, which spans software developers, technology providers, systems integrators and solution providers. Partners will “extend the functionality” of Spirion’s Data Privacy Management Framework, according to the company. Solution provider members of the program include GuidePoint Security and Halock Security Labs, while technology partners include ContextSpace, Seclore and Tonic.
3 Templates for a Comprehensive Cybersecurity Risk Assessment
July 28, 2020
Based on the Duty of Care Risk Analysis (DOCRA) that many regulatory bodies rely on to ensure that organizations are delivering reasonable risk management practices to protect their customers and vendors, the CIS RAM aligns with the CIS Controls specifically and uses a simplified risk statement to benchmark the level of risk associated and determine a viable safeguard to mitigate risk.
Federal Trade Commission Aims to Ramp Up the Cybersecurity Efforts of Financial Institutions
July 14, 2020
The Federal Trade Commission is seeking to ramp up mandated cybersecurity efforts for financial institutions by altering the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement and maintain a comprehensive information security program.
“People are not generally doing what we would consider risk assessments,” said Chris Cronin, a partner at HALOCK Security Labs. “Instead, they’ll have an auditor come in and run an audit.”