Upcoming events and important dates regarding cybersecurity as well as the Duty of Care Risk Analysis (DoCRA)

National Association of Attorneys General (NAAG)

November 8-10, 2021

NAAG Consumer Protection Fall Conference

The NAAG Consumer Protection Fall Conference will take place from Nov. 8-10, 2021, in Washington, DC. With the support of the NAAG Consumer Protection Committee, this conference will address pressing and relevant issues related to consumer protection. Sessions during the public portion of the conference will include panels on 3rd party seller platforms, non-fungible tokens (NFTs), and ransomware, as well as a panel of attorneys general.

On Monday, November 8, registration opens for the public at 11:30 a.m., with lunch and a panel of attorneys general starting at noon. The public portion of the conference concludes with a reception that ends at 7:00 p.m. The private, nonprofit, and government sectors are invited to attend the public portion of the conference.

 RSA Conference 2021

May 18, 2021

Virtual session followed by live discussion

Forecasting Threats is Way Easier Than You Think

Innovations by cybersecurity attackers intimidate managers into thinking that they cannot forecast attacks, but publicly sourced data shows that forecasting has more to do with knowing how organizations handle sensitive assets than with attacker innovations. The presenter will show how the audience can use an unmistakable pattern in the data to plan their security programs.

SPEAKER: Chris Cronin

RSA Conference 2021

May 19, 2021


Your Breached Controls May Have Been Reasonable After All

Bill Sampson, Partner at Shook Hardy & Bacon LLP
Phyllis Lee, Senior Director for Controls The Center for Internet Security, Inc. (CIS®)
Chris Cronin, Partner at HALOCK Security Labs
Jim Trilling, Attorney in the Division of Privacy and Identity Protection at the Federal Trade Commission (FTC)
David Cohen, Counsel at Orrick, Herrington & Sutcliffe

DATE: May 19, 2021 – Wednesday, 10:45 Pacific Time



Midwest Cyber Security Alliance Virtual Meeting

February 18, 2021, 3:30 – 5:30 p.m. CST

Live Webcast Seminar

They Know You Can’t Get to 100% Compliance … and That’s Okay (HIPAA, CCPA/CPRA, GDPR, 23 NYCRR Part 500, CMMC, PCI, FISMA, FERPA) Keeping Your Eye on the Prize – Translating “Reasonable Security” into Real Data Protection

Meeting old and new security requirements is about to change. For the first time, all requirements, even version 4.0 of the PCI DSS, are going to be driven by risk. What does that mean exactly? Each organization will need to decide what its definition of “acceptable risk” is, not only for the organization, but for its clients and business partners as well as the general public. Those who could be harmed by your service or product, and in how you conduct business, need to be considered in the risk equation.

To address these issues, the next Midwest Cyber Security Alliance virtual meeting will offer an update on some familiar topics including the concept of “reasonable controls” and “acceptable risk.” These terms have permeated our security regulations and standards over the last decade and have plagued organizations just as long — until today. Quite recently, regulators, judges, and security experts have all agreed to a common calculus to determine if an organization has reasonable controls. During this session, we will dissect the Sedona Conference’s new proposed legal test for reasonable security controls based on B2 – B1 < (P x H)1 – (P x H)2.

Understanding and leveraging the legal definition of “reasonable” will certainly have its advantages — please join Foley and HALOCK Security Labs on Thursday, February 18, 2021, for a discussion on what it is and how it can be applied to your organization.


Jennifer L. Urban, CIPP/US 
Foley & Lardner LLP

Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor
Senior Partner
HALOCK Security Labs

National Foundation for Judicial Excellence: 2020 Annual Judicial Symposium

October 15, 2020, 3:15pm


Judging Efforts to Protect Personal Information: What Test Should Apply?

In LabMD, Inc. v. Federal Trade Commission, the United States Court of Appeals for the Eleventh Circuit vacated the FTC’s order that LabMD implement the FTC-designed security program on grounds it required an “indeterminable standard of reasonableness.” The panel will discuss LabMD, Inc. and the most promising standard that has emerged in the wake of it—one based upon a duty of care risk analysis. Such an approach has been adopted by the Center for Internet Security, and it has been used by Pennsylvania’s OAG in a settlement with Expedia. It is also the subject of an important, current study by the Sedona Conference; and two members from the Sedona Conference will be part of the panel.

Chris Cronin, Halock Security Labs, Schaumburg, IL
William R. Sampson, Shook Hardy & Bacon LLP, Kansas City, MO

Information Security and Financial Institutions: FTC Workshop to Examine Safeguards Rule

July 13, 2020, 9:00am


The workshop will explore some of the issues raised in response to amendments the FTC has proposed making to the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program. In 2019, the FTC sought comments on the proposed amendments to the Safeguards Rule. PANELIST: Chris Cronin

Online Meeting on The Sedona

NetDiligence Cyber Risk Summit 2020

July 7, 2020, 12:00-1:00pm


PANELIST: Chris Cronin

What is Reasonable Cyber Security?

TOPICS: Terms and Definitions, Various Standards of Reasonableness and Duty of Care, Risk-Based Analysis and Best Practices, Communicating to and Working with the Policyholder.


Andrew Maher (M), AXIS

Chris Cronin, Halock Security Labs

Doug Meal, Orrick LLP

Timothy Murphy, Office of Attorney General for the Commonwealth of Pennsylvania

Online Meeting on The Sedona Conference Draft Commentary on Proactive Privacy and Data Security Governance

June 24, 2020, 1:00pm EDT

A panel of WG11 drafting team members will discuss their June 2020 draft Commentary, which is designed to assist organizations in creating a privacy and data security program that takes into account the ever-increasing number of privacy and data security laws around the world, including data localization laws. The draft Commentary is intended to be applied to all privacy and data security programs, no matter the size or type of an organization.

As the online meeting will focus on in-progress work product of WG11, only Working Group Series (WGS) members are permitted to attend. The online meeting is scheduled for 90 minutes, during which time you may make comments or ask questions of the panel via live chat. We aim to closely as possible replicate a typical dialogue between dialogue leaders and attendees at an in-person Working Group Meeting. The drafting team members welcome your feedback as the draft nears publication for public comment.

PANELIST: Chris Cronin

RSA Conference 2020

Feb 28, 2020 – San Francisco, 8:30am

Moscone Center

SPEAKER: Jim Mirochnik

Securing the Budget You Need! Translating Security Risks to Business Value.

InfoSec speaks the language of risks and costs, while Business speaks the language of rewards and revenue. The lack of a common language leads to InfoSec struggling to secure the budgets they truly need. This session demonstrates, using case studies, how the invention of Duty of Care Risk Analysis (DoCRA) can create a common language with the Business and help secure appropriate budgets.

RIMS 2020 Annual Conference

May 5, 2020 – DC, 3:50pm

Thought Leader Theater

SPEAKER: Chris Cronin

The Questions a Judge Will Ask You After a Data Breach

In post-data breach litigation, you must demonstrate due care and reasonable control. Learn how information security risk assessments can provide meaningful answers to technicians, businesses and authorities based on judicial balancing tests and regulatory definitions of reasonable risk.

CyberNext Summit 2019 – KuppingerCole Analysts

OCT 9, 2019 – DC, 9:30am

SPEAKER: Chris Cronin

The Questions a Judge Will Ask You After a Data Breach

This presentation will explain judicial balancing tests, how they relate to regulatory definitions of “reasonable” risk, and how to conduct risk assessments that prepare you to answer the tough questions before you need to be asked.

Attendees will learn:

  • How to define “reasonable” in a way that makes sense to business, judges, and regulators.
  • How to design and run a risk assessment that is meaningful to technicians, business, and authorities.
  • Learn from case studies involving regulatory oversight, law suits that happened, and law suits that never happened.

(ISC)² Security Congress: The Questions a Judge Will Ask You After a Data Breach – What is Reasonable

OCT 30, 2019 – Orlando, 1:45-2:45pm 

SPEAKER: Terry Kurzynski

What is “reasonable” security? If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonable.” Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. This presentation references case law, regulatory oversight and the Center for Internet Security Risk Assessment Method (CIS RAM), with a discussion on the future implications of this approach toward defining reasonableness. CIS RAM is based on the Duty of Care Risk Analysis standard ( and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.

Learning Objectives:

  • Define risk assessment criteria so they allow for comparison, reflect the organization’s values and will hold up to public scrutiny.
  • Model and select threats that are relevant to information assets and controls.
  • Estimate the likelihood of risks.

The Sedona Conference Working Group 11 Midyear Meeting 2019

SEP 18, 2019 – Canada

Panelist & Group Member: Chris Cronin

Proactive privacy and security governance: Complying with global data privacy and security regulations 

Healthcare Compliance Association (HCCA) – The Questions a Judge will ask you after a Data Breach

June 25, 2019 – Webinar 

SPEAKER: Tod Ferran

American Health Lawyers Association (AHLA) Webinar:  “Adopting Duty of Care Risk Analysis to Drive GRC

June 5, 2019 – Webinar 

SPEAKERS: Terry Kurzynski & Jennifer Rathburn of Foley & Lardner

Cleveland-Marshall’s Cybersecurity and Privacy Protection Conference 2019

MAY 30, 2019 – Cleveland 

PANELIST: Chris Cronin

NIST Cybersecurity Risk Management Conference – Evaluating “Reasonable” Cyber Risk Using the Center for Internet Security Risk Assessment Method

NOV 9, 2018  

PANELIST: Chris Cronin

UW E-Business Consortium: Information Technology Peer Group Meeting – DoCRA

OCT 18, 2018  

SPEAKERS: Terry Kurzynski with Foley & Lardner


OCT 23, 2018 – Chicago, 3:00-5:00pm 

Reserve your seat at


FEB 13, 2019 – Chicago & Webinar

Reserve your seat at


OCT 17, 2018

UW E-Business Consortium, University of Wisconsin-Madison – Cyber-Defense Strategies and Solutions: Preparing for a Cyber-breach: From Forensics to Litigation

NOV 7, 2018

LOUISIANA HOSPITAL ORGANIZATION – Acceptable Security Risk and Negligence: It’s a Fine Line

Duty of Care Risk Assessment (DoCRA): Preparing and Evaluating Risk Assessments for Reasonable Person Defenses

This presentation will cover an emerging approach for defining reasonableness in cybersecurity that uses “due care” as its basis. Referencing case law, regulatory oversight, and the recently-released CIS RAM (Center for Internet Security Risk Assessment Method), the speaker will explore the future implications of this emerging approach toward defining reasonableness.

NOV 7, 2018

NIST Cybersecurity Risk Management Conference 2018

Evaluating ‘Reasonable’ Cyber Risk Using the Center for Internet Security Risk Assessment Method

Center for Internet Security published a new risk assessment method in April 2018 that enables organizations to conduct risk assessments so they are meaningful to both internal
and external audiences: regulators, litigators, cyber security specialists, and non-technical
managers. The Center for Internet Security Risk Assessment Method (CIS RAM) provides
detailed and practical guidance that builds on NIST 800-30, and is consistent with
regulatory and legal expectations for establishing “reasonable” and “appropriate” risk. The
proposed panel discussion will feature the authors of CIS RAM who will present the
method, its basis in security frameworks and law, and case studies that illustrate its use in
legal and non-legal contexts.