2022 has been a busy year for adoption of Duty of Care Risk Analysis Standard (“DoCRA”) by state regulators. As of October 1, seven states, including the District of Columbia, used DoCRA’s three principles to describe to breached organization what reasonable security is. Pennsylvania’s Office of Attorney General led the charge, sometimes bringing other states with them on multi-district litigations.
Three case settlements all describe a three-factor test and reference DoCRA, CIS RAM, and the Sedona Conference paper Commentary on a Reasonable Security Test.
- Pennsylvania v Earl Enterprises
- Pennsylvania v Hannah Andersson
- Pennsylvania v Wawa Inc.
The test for reasonable security referenced by Pennsylvania is described as follows:
- The safeguards must not create a likelihood and impact of harm to Consumers or the public interest such that a remedy is needed.
- The safeguards may not require [the organization] to curtail its proper objectives (e.g., profit, growth, reputation, market competitiveness) or the utility of [their] services to Consumers.
- The burden imposed on [the organization] by the safeguards must be proportionate to the risk the safeguards reduce to consumers and the public interest.
This test will look familiar to HALOCK’s risk management clients and organizations who have used DoCRA. Pennsylvania’s test factors associate with “obligations,” “mission,” and “objectives” of a DoCRA risk assessment. So let’s break down the common DoCRA factors in these settlements one by one.
Factor 1: “The safeguards must not create a likelihood and impact of harm to Consumers or the public interest such that a remedy is needed.”
What this means for lawyers: Regulators and negligence litigators can legitimately pursue lawsuits and punitive actions only when others are harmed.
What this means for business: Include in your risk assessment how risks would impact others. DoCRA evaluates multiple impact types in its risk analysis, including impacts to “Obligations” to protect others. By aiming your risk treatment plan toward acceptable impacts to your obligations you demonstrate your due diligence. Note that the majority of historic risk assessments have been inward focused on harm only directly to the organization performing the analysis. The new insight here is that we need to consider harm outside the organization, and not just in terms of acceptability to the organization but from those participating in the organization’s services and products and the public at large.
Factor 2: “The safeguards may not require [the organization] to curtail its proper objectives (e.g., profit, growth, reputation, market competitiveness) or the utility of [their] services to Consumers.”
What this means for lawyers: Regulators are required since 1993 (Executive Order 12866) not to over-reach while enforcing regulations. Similarly, plaintiffs must demonstrate that breached defendants could have used safeguards that would not have been more burdensome than the risks they would have reduced. This factor expresses the limit imposed on law to not unduly burden an organization’s business, including the reason why the public engages in the risk to begin with (“utility”).
What this means for business: Include in your risk assessment how risks and safeguards would impact your Mission (the value your business provides to the public) and your Objectives (your business goals). The new insight here is that the organization should rerun the risk analysis on the proposed safeguards to see if the cure is worse than the disease. The organization should document and archive its calculus to defend its decisions on priorities and document its definition of acceptable risk.
Factor 3: “The burden imposed on [the organization] by the safeguards must be proportionate to the risk the safeguards reduce to consumers and the public interest”
What this means for lawyers: This factor provides defendants with their method for demonstrating whether Factor 2 was met.
What this means for business: Document that your safeguards are reasonable by comparing their burden to the risks they reduce. Especially document whether standard controls that you cannot implement are unreasonable because they would be more burdensome to your Mission and Objectives than the risks they reduce to your Obligations. The message here is that while you need to be reasonable you don’t have to be a Hero.
References:
- The Duty of Care Risk Analysis Standard The DoCRA Standard – DOCRA
- Pennsylvania Wawa Announcement Attorney General Josh Shapiro Announces $8 Million Agreement with Wawa Following Investigation into 2019 Data Breach – PA Office of Attorney General
- Wawa Agreement Details *2022-07-26-PA-OAG-v.-Wawa-AVC-Accepted-efiling.pdf (attorneygeneral.gov)
HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, duty of care, key acts and laws, and more that impact your risk management program.