What is DoCRA?
The “Duty of Care Risk Analysis” (DoCRA) Standard is a methodology used to assess and manage information security and data protection risks. It’s a structured approach that helps organizations evaluate and prioritize risks related to the handling of sensitive information.
DoCRA helps organizations prioritize their investments and efforts in managing risks by focusing on the most critical areas that could impact the confidentiality, integrity, or availability of sensitive information.
How does DoCRA relate to “reasonable security”?
DoCRA plays a crucial role in establishing “reasonable security” by providing a logical approach to evaluating risks and determining appropriate measures to manage them. With DoCRA, organizations can establish a security framework that is proportional to the identified risks, thereby achieving a level of security that is considered reasonable and appropriate within their context and resources.
Basically, DoCRA helps make sure that your safeguard is not more burdensome than the risk you’re reducing.
Why is duty of care and reasonable security important to organizations?
Organizations have a duty of care to safeguard personal information, prevent data breaches, and maintain adequate security measures to protect against cyber threats. Failure to fulfill this duty can lead to legal liabilities, penalties, or damages if harm or breaches occur due to negligence in upholding reasonable security measures.
Duty of care involves taking reasonable steps to prevent harm or mitigate risks that a reasonable and prudent person would anticipate in a given situation.
‘Reasonable Security’ is also a requirement in a growing number of state data privacy laws and more. Other regulations include:
Health Insurance Portability and Accountability Act (HIPAA): HIPAA sets standards for protecting sensitive patient health information (PHI) by mandating reasonable security measures to safeguard electronic PHI (ePHI) against threats and unauthorized access.
New York State Department of Financial Services (NYDFS) Cybersecurity Regulation: It requires regulated financial institutions to maintain a cybersecurity program that includes reasonable security measures and controls to protect the confidentiality, integrity, and availability of information systems and non-public information.
Federal Trade Commission (FTC) Act: While not a specific privacy law, the FTC Act prohibits unfair or deceptive acts or practices in commerce. The FTC has enforced the Act by requiring companies to maintain reasonable security measures to protect consumer data.
Where has DoCRA been incorporated?
CIS RAM is based on the DoCRA Standard. CIS RAM is a risk assessment method designed to help enterprises justify investments for implementing the CIS Critical Security Controls (CIS Controls).
CIS RAM and DoCRA risk assessments meet the requirements of established information security risk assessment standards and demonstrate whether safeguards are “reasonable” and “appropriate” as regulators and judges often require.
Has DoCRA been cited in any litigation?
Herff Jones Assurance of Voluntary Compliance, PA; pg.5 – DoCRA
Herff Jones Assurance of Discontinuance, NY; pg. 5 – DoCRA
DNA Diagnostics Assurance of Voluntary Compliance, OH; pg. 7 – DoCRA
Is DoCRA referenced in other publications?
DoCRA is appearing in many publications – you can find an initial list of publications here.
How can I assess if I am practicing duty of care for our security programs?
Start with the DoCRA checklist to review your business environment.
HALOCK can help you scope your compliance needs and review your risk profile.