There is a new law in Ohio called the Ohio Data Protection Act (S.B. 220) signed by Gov. John Kasich on August 3, 2018 and is set to go into effect on November 1, 2018. It is the first piece of legislation introduced as a result of the CyberOhio Initiative. It grants businesses a defense in Ohio courts if a data breach occurs and the business can prove it had a CyberSecurity program in place that meets industry-recognized security frameworks.
Rather than an imposed law, the Act is intended to provide businesses with a voluntary, legal incentive to achieve a ‘higher level of security’ through implementation of a written CyberSecurity program and strong CyberSecurity controls in place to protect data. It is applicable to Tort claims only, i.e. negligence and invasion of privacy claims.
To be eligible for this new defense, the business must have a CyberSecurity program in place that is formulated to:
- Protect the confidentiality and security of personal information,
- Protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of fraud or identity theft, and“Reasonably conform” to one of the listed frameworks for information security, cybersecurity, or security assessment:
- CIS Critical Security Controls, ISO, IEC, or
- NIST, or
- If credit card payment is accepted at the business, the cybersecurity program must also act in accordance with the Payment Card Industry’s data Security Standards (PCI-DSS) to qualify for the affirmative defense,
- Similarly, businesses subject to state or federally mandated security requirements may also qualify. Examples include: Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) amendments to HIPAA, Title V of the Gramm-Leach-Bliley Act (GLBA), and the Federal Information Security Modernization Act (FISMA).
While most large businesses already have many if not all of these items in place, this new law can be particularly beneficial to the small businesses. However, the challenge is businesses do not automatically qualify for this new safe harbor, and it may be difficult to establish. Under the Ohio Data Protection Act, the business still has the burden of establishing that its CyberSecurity program complied with the law’s requirements.
Another challenge is there is no universal approach. The necessary scale and scope of the CyberSecurity program required to activate the safe harbor is determined by various factors such as the size, complexity and nature of the business and its activities; the cost and availability of tools for security improvement, the sensitivity level of the personal information it possesses, and vulnerability reduction; and the resources the business has at its disposal to spend on CyberSecurity.
In addition, many of the aforementioned frameworks do not have a standardized process of certification, so proving that their cyber security protection conforms to the applicable framework may also be challenging.
However, given the increasing and sometimes devastating risk in cost, downtime and reputation that a data breach presents for businesses, the Ohio Data Protection Act is a step in the right direction — by rewarding those that adopt and maintain a more robust cybersecurity program with a significant safe harbor incentive that can provide some legal protection against data breach. While from a litigation standpoint, the effects of this law are minimal, it may cause other states to recognize the importance of this issue and take legal steps towards positive change as well.
From a business perspective, the Ohio Data Protection Act helps businesses create a financial justification towards being cyber prepared. In the past many organizations looked at Cybersecurity plans and the services that came with it (penetration tests, vulnerability scans, training, etc.) as being an expense, albeit an expense of doing business. As an expense with no tangible benefit Cybersecurity plans were often pushed down to the bottom of an organization’s to-do list. Now there is a real benefit for that expense, a get-out-of-jail free card when properly implemented and faced with certain types of lawsuits post breach. It could also be surmised that with this additional benefit of being cyber ready, an organization may be considered even more negligent if not properly prepared.
LINK TO LEGISLATION TEXT: https://www.legislature.ohio.gov/legislation/legislation-summary?id=GA132-SB-220
For Assistance with CyberSecurity
If you want professional assistance in implementing a data privacy or CyberSecurity program, inclusive of the technical aspects that are required, please CONTACT VESTIGE today.
Vestige Digital Investigations helps organizations Identify, Investigate, Manage and Protect the most vital digital resources. We do that through a robust set of inter-related services, including: Digital Forensics, Proactive and Reactive CyberSecurity Solutions and E-Discovery Services. With 90% of the world’s communication wrapped into digital form…how can Vestige help you in the digital frontier?