U.S. companies have finally received guidance from state regulators for operating reasonable security programs that are legally defensible! Seven Attorneys General in a recent court filing defined “reasonable” security, giving companies for the first time a test they can use to determine whether their cybersecurity programs will stand up to the scrutiny of lawyers and regulators. Settlement Order

FINALLY, A TEST FOR REASONABLE

The three-part test provided in Pennsylvania v Wawa, Inc 1. says that reasonableness can be demonstrated through a three-part test using DoCRA’s2 and CIS RAM’s three principles3 . That test is:

  1. The safeguards must not create a likelihood and impact of harm to Consumers or the public interest such that a remedy is needed.
  2. The safeguards may not require [the organization] to curtail its proper objectives (e.g., profit, growth, reputation, market competitiveness) or the utility of [their] services to Consumers.
  3. The burden imposed on [the organization] by the safeguards must be proportionate to the risk the safeguards reduce to consumers and the public interest.

To HALOCK’s risk management clients, this test will look familiar. These factors are the “obligations,” “mission,” and “objectives” of a DoCRA risk assessment. HALOCK has been using these DoCRA principles for many years and for hundreds of our clients.

Using DoCRA’s reasonableness principles, organizations can:

  • Establish a risk-based cybersecurity program, as required by regulators.
  • Determine when to make cybersecurity investments and when to accept risk that is reasonable.
  • Demonstrate to insurance carriers that they pose a low risk to the carrier’s portfolio for lower rates and higher coverage.
  • Defend the reasonableness of their program to regulators and attorneys when a breach occurs.

HALOCK has led this important effort to define reasonableness for the cybersecurity industry because so much is at stake for our clients in getting this right. Cybersecurity will never be perfect, but it can be “reasonable” and legally defensible, and that is HALOCK’s goal for our clients.

 

THE ROOT OF THE PROBLEM

Since Gramm Leach Bliley and HIPAA became encoded, information security regulations required “reasonable” safeguards using risk-based programs. The Federal Trade Commission and states followed suit by requiring the “reasonable” standard without defining it. For decades the FTC, states’ attorneys general, the Department of Health and Human Services and others all determined negligence in data breach cases by asserting that breached organizations were not reasonably protecting information.

This led to tremendous cost and unnecessary efforts. Organizations spent money on cybersecurity solutions that met compliance goals or seemed appropriate at the time without addressing actual risk. The inability to define and defend reasonableness has been very costly (e.g. attorney’s fees, class action, regulatory fines, public sentiment).

Making matters worse, in 2018 the courts told the FTC they could no longer require reasonable security unless they defined what reasonable security meant.

 

THE FIX

HALOCK Security Labs has worked with the country’s leading cybersecurity lawyers and experts to define “reasonable.”

Through a non-profit organization, the DoCRA Council, HALOCK donated its intellectual property to help clients demonstrate reasonable security to regulators and judges.

HALOCK worked with Center for Internet Security (CIS) to author the CIS Risk Assessment Method, (CIS RAM) which provides practical instructions and templates for conducting DoCRA-based risk assessments.

One of our partners contributed to Commentary on a Reasonable Security Test, a white paper published by the legal think tank, The Sedona Conference.

For the past several years, HALOCK has acted as expert witness for regulators and litigators to help them use DoCRA’s three-part test to determine whether an organization used reasonable controls at the time they were breached.

And on July 26 seven Attorneys General, including Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida, and the District of Columbia all filed an injunction requiring Wawa to demonstrate reasonable security controls using DoCRA’s principles.

This is an important moment in cybersecurity risk management. By six states and D.C. providing this simple and clear test for reasonable security companies now have the legal guidance to implement “reasonable” and legally defensible security programs.

Reference: Sedona Conference Commentary on a Reasonable Security Test, The Sedona Conference®

  1. Reference Reasonable and Appropriate explained in Duty of Care Risk Analysis
  2. DoCRA is Duty of Care Risk Analysis. See www.docra.org for details on the standard.
  3. CIS-RAM is Center for Internet Security Risk Assessment Method. See www.cisecurity.org for more details.

 

Review Your Security Profile

 

Reasonable Security DoCRA

 

Frequently Asked Questions (FAQs) on Reasonable Security

What Is Reasonable Security?

Reasonable Security is appropriate cybersecurity protection for your organization. Based on your size, data types, and risk profile, reasonable security can be a legal standard of care and a cybersecurity best practice, both of which show that you took defensible steps to protect information.

 

Why is “Reasonable” Security Important?

“Reasonable security” language is found in most state and federal privacy laws, and regulators have ruled that you must show you took “reasonable” steps to protect sensitive information.

Reasonable security does not mean perfect security, but rather security that makes sense based on your risks and resources.

Organizations with reasonable security:

  • Have a better chance of avoiding regulatory action after a breach
  • Are better positioned during litigation and investigations
  • Have more support from cyber insurance carriers and adjusters
  • Instill more confidence with clients, partners, and stakeholders

 

What Laws Reference “Reasonable Security”?

In the United States, a variety of state and federal laws require organizations to have “reasonable security practices and procedures.” These include, but are not limited to:

  • “(3) Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’ obligations under this title.”

    “(5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.”

    “(e) A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.”

     

    “(b) A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

    (c) A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

     

    “requiring that companies develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information”

     

     (a) A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.    

    (b) A contract for the disclosure of personal information concerning an Illinois resident that is maintained by a data collector must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.

     

    “(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;”

     

    Controllers must “Use reasonable safeguards to secure personal data.”

     

    “the Gramm-Leach-Bliley Act, sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.”

     

    “What does a reasonable information security program look like?”

     

    “every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);”

The laws do not specify exactly what controls you should use, but they do typically require some defensible evidence that you assessed and mitigated risk appropriately.

 

How Do You Demonstrate Reasonable Security?

The most effective way is through a documented, risk-based assessment process that allows you to show how your organization identifies, prioritizes, and mitigates risks.

A legally defensible risk assessment provides a fact-based argument that your actions were prudent, informed, and proportionate.

Key elements include:

  1. Risk identification: What data, systems, and processes are impacted?
  2. Threat and vulnerability analysis: What risks are credible and foreseeable?
  3. Impact assessment: What could cause harm to customers, partners, or operations?
  4. Control evaluation: What safeguards are reasonable under current conditions?
  5. Documentation: Written records of your findings, decisions, and mitigations.

Security and legal frameworks such as NIST SP 800-30, ISO 27005, CIS Controls, and DoCRA (Duty of Care Risk Analysis) can help define and prove what “reasonable” looks like in practice.

 

What Is the Duty of Care Risk Analysis (DoCRA)?

The Duty of Care Risk Analysis (DoCRA) standard is an approach to establish and document reasonable security for an organization. It states that reasonable security is:

“Security that balances the interests of the organization with the interests of others who may be harmed if security fails.”

DoCRA helps organizations to review and justify risk decisions, not only from a compliance point of view but also with respect to fairness, proportionality, and legal defensibility. In essence, it considers an organization’s mission, objectives, and obligations. It effectively bridges security, business, and legal aspects in one defensible framework.

 

 

How HALOCK Helps Organizations Demonstrate Reasonable Security

HALOCK offers cybersecurity assessments that are risk-based, legally defensible, and aligned with the Duty of Care Risk Analysis (DoCRA) standard.

HALOCK assessment helps you to:

  • Identify, quantify, and prioritize cyber risks
  • Select and balance controls with business impact
  • Document a reasonable security posture for regulators, courts, and clients
  • Establish an accountability and continuous improvement process

 

How Can You Define “Reasonable Security”?

Reasonable security means implementing safeguards that are:

Appropriate: Based on your business size, industry, and data sensitivity

Proportionate: Controls balance protection with business practicality

Recognized: Align with accepted frameworks (NIST, ISO 27001, CIS, DoCRA)

Documented: You can prove decisions, policies, and risk management actions

Adaptive: Regularly reassessed as technology, threats, and operations evolve