In the realm of cybersecurity, general counsel face the daunting task of balancing entrepreneurial interests with legal liabilities. Recent legal standards have emerged to support this balancing act, emphasizing the importance of reasonable security measures as mandated by regulations like the Gramm Leach Bliley safeguards rule and HIPAA. Collaboration between lawyers and cybersecurity experts has led to the integration of the BPL test into cybersecurity risk assessments, helping organizations manage public risk effectively. The Center for Internet Security has developed risk assessment tools to assist security teams in this endeavor. For further insights, resources are available here or at the Duty of Care Risk Analysis (DoCRA) standard website.
TRANSCRIPT
You have one of the most challenging positions in cybersecurity.
You’ve got to balance the company’s entrepreneurial interests against their liabilities and obligations.
Cybersecurity doesn’t make that any simpler.
But there has been an emerging legal standard that makes this much easier. If you recall the learned hand BPL test from law school, that’s been adapted to cybersecurity.
Now your balancing act is supported by the law. Regulators have been requiring reasonable security since the Gramm Leach Bliley safeguards rule and the HIPAA security rule.
All regulations and negligence cases hinge on reasonableness.
Lawyers and cyber security experts have been working together to link Learned Hand BPL test to cybersecurity risk assessments.
This lets organizations draw a line where the business will attend to risk to the public, but not to the extent where the business burden is greater than the risk. Ten states, including the District of Columbia, have adopted this balancing test in their cyber breach settlements and in regulations.
Center for Internet Security made some risk assessment tools to make this easier on your security team.
You can learn more about that by going to the DoCRA standard at docra.org, by talking to your account representative at Reasonable Risk or HALOCK Security Labs, or by going to cisecurity.org and looking at CIS RAM with your security team.
