2022 has been a busy year for the adoption of the Duty of Care Risk Analysis Standard (“DoCRA”) by state regulators. As of October 1, seven states, including the District of Columbia, used DoCRA’s three principles to describe to breached organizations what reasonable security is. Pennsylvania’s Office of Attorney General led the charge, sometimes bringing other states with it on multi-district litigations.
Three case settlements all describe a three-factor test and reference DoCRA, CIS RAM, and the Sedona Conference paper Commentary on a Reasonable Security Test.
- Pennsylvania v Earl Enterprises
- Pennsylvania v Hannah Andersson
- Pennsylvania v Wawa Inc.
The test for reasonable security referenced by Pennsylvania is described as follows:
- The safeguards must not create a likelihood and impact of harm to Consumers or the public interest such that a remedy is needed.
- The safeguards may not require [the organization] to curtail its proper objectives (e.g., profit, growth, reputation, market competitiveness) or the utility of [their] services to Consumers.
- The burden imposed on [the organization] by the safeguards must be proportionate to the risk the safeguards reduce to consumers and the public interest.
This test will look familiar to HALOCK’s risk management clients and organizations who have used DoCRA. Pennsylvania’s test factors associate with “obligations,” “mission,” and “objectives” of a DoCRA risk assessment. So let’s break down the common DoCRA factors in these settlements one by one.
FACTOR 1: “The safeguards must not create a likelihood and impact of harm to Consumers or the public interest such that a remedy is needed.”
What this means for lawyers: Regulators and negligence litigators can legitimately pursue lawsuits and punitive actions only when others are harmed.
What this means for business: Include in your risk assessment how risks would impact others. DoCRA evaluates multiple impact types in its risk analysis, including impacts to “Obligations” to protect others. By aiming your risk treatment plan toward acceptable impacts to your obligations, you demonstrate your due diligence. Note that the majority of historic risk assessments have been inward-focused on harm only to the organization performing the analysis. The new insight here is that we need to consider harm outside the organization, and not just in terms of acceptability to the organization, but from those participating in the organization’s services and products, and the public at large.
FACTOR 2: “The safeguards may not require [the organization] to curtail its proper objectives (e.g., profit, growth, reputation, market competitiveness) or the utility of [their] services to Consumers.”
What this means for lawyers: Regulators have been required since 1993 (Executive Order 12866) not to over-reach while enforcing regulations. Similarly, plaintiffs must demonstrate that breached defendants could have used safeguards that would not have been more burdensome than the risks they would have reduced. This factor expresses the limit imposed on law to not unduly burden an organization’s business, including the reason why the public engages in the risk to begin with (“utility”).
What this means for business: Include in your risk assessment how risks and safeguards would impact your Mission (the value your business provides to the public) and your Objectives (your business goals). The new insight here is that the organization should rerun the risk analysis on the proposed safeguards to see if the cure is worse than the disease. The organization should document and archive its calculus to defend its decisions on priorities and document its definition of acceptable risk.
FACTOR 3: “The burden imposed on [the organization] by the safeguards must be proportionate to the risk the safeguards reduce to consumers and the public interest.”
What this means for lawyers: This factor provides defendants with their method for demonstrating whether Factor 2 was met.
What this means for business: Document that your safeguards are reasonable by comparing their burden to the risks they reduce. Especially document whether standard controls that you cannot implement are unreasonable because they would be more burdensome to your Mission and Objectives than the risks they reduce to your Obligations. The message here is that while you need to be reasonable, you don’t have to be a Hero.
References:
- The Duty of Care Risk Analysis Standard The DoCRA Standard – DOCRA
- Pennsylvania Wawa Announcement Attorney General Josh Shapiro Announces $8 Million Agreement with Wawa Following Investigation into 2019 Data Breach – PA Office of Attorney General
- Wawa Agreement Details *2022-07-26-PA-OAG-v.-Wawa-AVC-Accepted-efiling.pdf (attorneygeneral.gov)
Frequently Asked Questions (FAQs) on Reasonable Security
What Is Reasonable Security?
Reasonable Security is appropriate cybersecurity protection for your organization. Based on your size, data types, and risk profile, reasonable security can be a legal standard of care and a cybersecurity best practice, both of which show that you took defensible steps to protect information.
Why is “Reasonable” Security Important?
“Reasonable security” language is found in most state and federal privacy laws, and regulators have ruled that you must show you took “reasonable” steps to protect sensitive information.
Reasonable security does not mean perfect security, but rather security that makes sense based on your risks and resources.
Organizations with reasonable security:
- Have a better chance of avoiding regulatory action after a breach
- Are better positioned during litigation and investigations
- Have more support from cyber insurance carriers and adjusters
- Instill more confidence with clients, partners, and stakeholders
What Laws Reference “Reasonable Security”?
In the United States, a variety of state and federal laws require organizations to have “reasonable security practices and procedures.” These include, but are not limited to:
“(3) Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’ obligations under this title.”
“(5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.”
“(e) A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.”
“(b) A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
(c) A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
“requiring that companies develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information”
(a) A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.
(b) A contract for the disclosure of personal information concerning an Illinois resident that is maintained by a data collector must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.
“(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;”
Controllers must “Use reasonable safeguards to secure personal data.”
“the Gramm-Leach-Bliley Act, sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.”
“What does a reasonable information security program look like?”
“every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);”
The laws do not specify exactly what controls you should use, but they do typically require some defensible evidence that you assessed and mitigated risk appropriately.
How Do You Demonstrate Reasonable Security?
The most effective way is through a documented, risk-based assessment process that allows you to show how your organization identifies, prioritizes, and mitigates risks.
A legally defensible risk assessment provides a fact-based argument that your actions were prudent, informed, and proportionate.
Key elements include:
- Risk identification: What data, systems, and processes are impacted?
- Threat and vulnerability analysis: What risks are credible and foreseeable?
- Impact assessment: What could cause harm to customers, partners, or operations?
- Control evaluation: What safeguards are reasonable under current conditions?
- Documentation: Written records of your findings, decisions, and mitigations.
Security and legal frameworks such as NIST SP 800-30, ISO 27005, CIS Controls, and DoCRA (Duty of Care Risk Analysis) can help define and prove what “reasonable” looks like in practice.
What Is the Duty of Care Risk Analysis (DoCRA)?
The Duty of Care Risk Analysis (DoCRA) standard is an approach to establish and document reasonable security for an organization. It states that reasonable security is:
“Security that balances the interests of the organization with the interests of others who may be harmed if security fails.”
DoCRA helps organizations to review and justify risk decisions, not only from a compliance point of view but also with respect to fairness, proportionality, and legal defensibility. In essence, it considers an organization’s mission, objectives, and obligations. It effectively bridges security, business, and legal aspects in one defensible framework.
How HALOCK Helps Organizations Demonstrate Reasonable Security
HALOCK offers cybersecurity assessments that are risk-based, legally defensible, and aligned with the Duty of Care Risk Analysis (DoCRA) standard.
HALOCK assessment helps you to:
- Identify, quantify, and prioritize cyber risks
- Select and balance controls with business impact
- Document a reasonable security posture for regulators, courts, and clients
- Establish an accountability and continuous improvement process
How Can You Define “Reasonable Security”?
Reasonable security means implementing safeguards that are:
Appropriate: Based on your business size, industry, and data sensitivity
Proportionate: Controls balance protection with business practicality
Recognized: Align with accepted frameworks (NIST, ISO 27001, CIS, DoCRA)
Documented: You can prove decisions, policies, and risk management actions
Adaptive: Regularly reassessed as technology, threats, and operations evolve
Learn how Duty of Care Risk Analysis (DoCRA) can help you achieve reasonable security:
What is Duty of Care Risk Analysis (DoCRA) for Cybersecurity?
What is Duty of Care Risk Analysis (DoCRA) for General Counsel?
What is Duty of Care Risk Analysis (DoCRA) for Regulators?
What is Duty of Care Risk Analysis (DoCRA) for Auditors?
What is Duty of Care Risk Analysis (DoCRA) for Executives?
What is Duty of Care Risk Analysis (DoCRA) for Risk Managers?
