U.S. companies have finally received guidance from state regulators for operating reasonable security programs that are legally defensible! Seven Attorneys General in a recent court filing defined “reasonable” security, giving companies for the first time a test they can use to determine whether their cybersecurity programs will stand up to the scrutiny of lawyers and regulators. Settlement Order

FINALLY, A TEST FOR REASONABLE

The three-part test provided in Pennsylvania v Wawa, Inc 1. says that reasonableness can be demonstrated through a three-part test using DoCRA’s2 and CIS RAM’s three principles3 . That test is:

  1. The safeguards must not create a likelihood and impact of harm to Consumers or the public interest such that a remedy is needed.
  2. The safeguards may not require [the organization] to curtail its proper objectives (e.g., profit, growth, reputation, market competitiveness) or the utility of [their] services to Consumers.
  3. The burden imposed on [the organization] by the safeguards must be proportionate to the risk the safeguards reduce to consumers and the public interest.

To HALOCK’s risk management clients, this test will look familiar. These factors are the “obligations,” “mission,” and “objectives” of a DoCRA risk assessment. HALOCK has been using these DoCRA principles for many years and for hundreds of our clients.

Using DoCRA’s reasonableness principles, organizations can:

  • Establish a risk-based cybersecurity program, as required by regulators.
  • Determine when to make cybersecurity investments and when to accept risk that is reasonable.
  • Demonstrate to insurance carriers that they pose a low risk to the carrier’s portfolio for lower rates and higher coverage.
  • Defend the reasonableness of their program to regulators and attorneys when a breach occurs.

HALOCK has led this important effort to define reasonableness for the cybersecurity industry because so much is at stake for our clients in getting this right. Cybersecurity will never be perfect, but it can be “reasonable” and legally defensible, and that is HALOCK’s goal for our clients.

THE ROOT OF THE PROBLEM

Since Gramm Leach Bliley and HIPAA became encoded, information security regulations required “reasonable” safeguards using risk-based programs. The Federal Trade Commission and states followed suit by requiring the “reasonable” standard without defining it. For decades the FTC, states’ attorneys general, the Department of Health and Human Services and others all determined negligence in data breach cases by asserting that breached organizations were not reasonably protecting information.

This led to tremendous cost and unnecessary efforts. Organizations spent money on cybersecurity solutions that met compliance goals or seemed appropriate at the time without addressing actual risk. The inability to define and defend reasonableness has been very costly (e.g. attorney’s fees, class action, regulatory fines, public sentiment).

Making matters worse, in 2018 the courts told the FTC they could no longer require reasonable security unless they defined what reasonable security meant.

THE FIX

HALOCK Security Labs has worked with the country’s leading cybersecurity lawyers and experts to define “reasonable.”

Through a non-profit organization, the DoCRA Council, HALOCK donated its intellectual property to help clients demonstrate reasonable security to regulators and judges.

HALOCK worked with Center for Internet Security (CIS) to author the CIS Risk Assessment Method, (CIS RAM) which provides practical instructions and templates for conducting DoCRA-based risk assessments.

One of our partners contributed to Commentary on a Reasonable Security Test, a white paper published by the legal think tank, The Sedona Conference.

For the past several years, HALOCK has acted as expert witness for regulators and litigators to help them use DoCRA’s three-part test to determine whether an organization used reasonable controls at the time they were breached.

And on July 26 seven Attorneys General, including Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida, and the District of Columbia all filed an injunction requiring Wawa to demonstrate reasonable security controls using DoCRA’s principles.

This is an important moment in cybersecurity risk management. By six states and D.C. providing this simple and clear test for reasonable security companies now have the legal guidance to implement “reasonable” and legally defensible security programs.

Reference: Sedona Conference Commentary on a Reasonable Security Test, The Sedona Conference®

  1. Reference Reasonable and Appropriate explained in Duty of Care Risk Analysis
  2. DoCRA is Duty of Care Risk Analysis. See www.docra.org for details on the standard.
  3. CIS-RAM is Center for Internet Security Risk Assessment Method. See www.cisecurity.org for more details.


HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, duty of care, key acts and laws, and more that impact your risk management program.

SCHEDULE YOUR FULL HALOCK SECURITY BRIEFING