Upcoming events and important dates regarding Duty of Care Risk Analysis (DoCRA)

Information Security and Financial Institutions: FTC Workshop to Examine Safeguards Rule

July 13, 2020, 9:00am


The workshop will explore some of the issues raised in response to amendments the FTC has proposed making to the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program. In 2019, the FTC sought comments on the proposed amendments to the Safeguards Rule. PANELIST: Chris Cronin


NetDiligence Cyber Risk Summit 2020

July 7, 2020, 12:00-1:00pm


PANELIST: Chris Cronin

What is Reasonable Cyber Security?

TOPICS: Terms and Definitions, Various Standards of Reasonableness and Duty of Care, Risk-Based Analysis and Best Practices, Communicating to and Working with the Policyholder.


Andrew Maher (M), AXIS

Chris Cronin, Halock Security Labs

Doug Meal, Orrick LLP

Timothy Murphy, Office of Attorney General for the Commonwealth of Pennsylvania

Online Meeting on The Sedona Conference Draft Commentary on Proactive Privacy and Data Security Governance

June 24, 2020, 1:00pm EDT

A panel of WG11 drafting team members will discuss their June 2020 draft Commentary, which is designed to assist organizations in creating a privacy and data security program that takes into account the ever-increasing number of privacy and data security laws around the world, including data localization laws. The draft Commentary is intended to be applied to all privacy and data security programs, no matter the size or type of an organization.

As the online meeting will focus on in-progress work product of WG11, only Working Group Series (WGS) members are permitted to attend. The online meeting is scheduled for 90 minutes, during which time you may make comments or ask questions of the panel via live chat. We aim to closely as possible replicate a typical dialogue between dialogue leaders and attendees at an in-person Working Group Meeting. The drafting team members welcome your feedback as the draft nears publication for public comment.

PANELIST: Chris Cronin

RSA Conference 2020

Feb 28, 2020 – San Francisco, 8:30am

Moscone Center

SPEAKER: Jim Mirochnik

Securing the Budget You Need! Translating Security Risks to Business Value.

InfoSec speaks the language of risks and costs, while Business speaks the language of rewards and revenue. The lack of a common language leads to InfoSec struggling to secure the budgets they truly need. This session demonstrates, using case studies, how the invention of Duty of Care Risk Analysis (DoCRA) can create a common language with the Business and help secure appropriate budgets.

RIMS 2020 Annual Conference

May 5, 2020 – DC, 3:50pm

Thought Leader Theater

SPEAKER: Chris Cronin

The Questions a Judge Will Ask You After a Data Breach

In post-data breach litigation, you must demonstrate due care and reasonable control. Learn how information security risk assessments can provide meaningful answers to technicians, businesses and authorities based on judicial balancing tests and regulatory definitions of reasonable risk.

CyberNext Summit 2019 – KuppingerCole Analysts

OCT 9, 2019 – DC, 9:30am

SPEAKER: Chris Cronin

The Questions a Judge Will Ask You After a Data Breach

This presentation will explain judicial balancing tests, how they relate to regulatory definitions of “reasonable” risk, and how to conduct risk assessments that prepare you to answer the tough questions before you need to be asked.

Attendees will learn:

  • How to define “reasonable” in a way that makes sense to business, judges, and regulators.
  • How to design and run a risk assessment that is meaningful to technicians, business, and authorities.
  • Learn from case studies involving regulatory oversight, law suits that happened, and law suits that never happened.

(ISC)² Security Congress: The Questions a Judge Will Ask You After a Data Breach – What is Reasonable

OCT 30, 2019 – Orlando, 1:45-2:45pm 

SPEAKER: Terry Kurzynski

What is “reasonable” security? If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonable.” Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. This presentation references case law, regulatory oversight and the Center for Internet Security Risk Assessment Method (CIS RAM), with a discussion on the future implications of this approach toward defining reasonableness. CIS RAM is based on the Duty of Care Risk Analysis standard ( and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.

Learning Objectives:

  • Define risk assessment criteria so they allow for comparison, reflect the organization’s values and will hold up to public scrutiny.
  • Model and select threats that are relevant to information assets and controls.
  • Estimate the likelihood of risks.

The Sedona Conference Working Group 11 Midyear Meeting 2019

SEP 18, 2019 – Canada

Panelist & Group Member: Chris Cronin

Proactive privacy and security governance: Complying with global data privacy and security regulations 

Healthcare Compliance Association (HCCA) – The Questions a Judge will ask you after a Data Breach

June 25, 2019 – Webinar 

SPEAKER: Tod Ferran

American Health Lawyers Association (AHLA) Webinar:  “Adopting Duty of Care Risk Analysis to Drive GRC

June 5, 2019 – Webinar 

SPEAKERS: Terry Kurzynski & Jennifer Rathburn of Foley & Lardner

Cleveland-Marshall’s Cybersecurity and Privacy Protection Conference 2019

MAY 30, 2019 – Cleveland 

PANELIST: Chris Cronin

NIST Cybersecurity Risk Management Conference – Evaluating “Reasonable” Cyber Risk Using the Center for Internet Security Risk Assessment Method

NOV 9, 2018  

PANELIST: Chris Cronin

UW E-Business Consortium: Information Technology Peer Group Meeting – DoCRA

OCT 18, 2018  

SPEAKERS: Terry Kurzynski with Foley & Lardner


OCT 23, 2018 – Chicago, 3:00-5:00pm 

Reserve your seat at


FEB 13, 2019 – Chicago & Webinar

Reserve your seat at


OCT 17, 2018

UW E-Business Consortium, University of Wisconsin-Madison – Cyber-Defense Strategies and Solutions: Preparing for a Cyber-breach: From Forensics to Litigation

NOV 7, 2018

LOUISIANA HOSPITAL ORGANIZATION – Acceptable Security Risk and Negligence: It’s a Fine Line

Duty of Care Risk Assessment (DoCRA): Preparing and Evaluating Risk Assessments for Reasonable Person Defenses

This presentation will cover an emerging approach for defining reasonableness in cybersecurity that uses “due care” as its basis. Referencing case law, regulatory oversight, and the recently-released CIS RAM (Center for Internet Security Risk Assessment Method), the speaker will explore the future implications of this emerging approach toward defining reasonableness.

NOV 7, 2018

NIST Cybersecurity Risk Management Conference 2018

Evaluating ‘Reasonable’ Cyber Risk Using the Center for Internet Security Risk Assessment Method

Center for Internet Security published a new risk assessment method in April 2018 that enables organizations to conduct risk assessments so they are meaningful to both internal
and external audiences: regulators, litigators, cyber security specialists, and non-technical
managers. The Center for Internet Security Risk Assessment Method (CIS RAM) provides
detailed and practical guidance that builds on NIST 800-30, and is consistent with
regulatory and legal expectations for establishing “reasonable” and “appropriate” risk. The
proposed panel discussion will feature the authors of CIS RAM who will present the
method, its basis in security frameworks and law, and case studies that illustrate its use in
legal and non-legal contexts.