Ohio Businesses Will Soon Be Incentivized to Implement Cybersecurity Programs
By: Jen Horn
Companies that take reasonable cybersecurity precautions against data breaches will have a distinct advantage starting in November. That’s because Ohio’s Data Protection Act, which Governor John Kasich signed in August, formally takes effect November 2nd.
The Act, the first legislation of its kind in the country, creates a legal incentive for businesses that maintain a recognized cybersecurity program. (Other states, such as New York, require a certain level of compliance with cybersecurity standards, but don’t offer any incentive to do so). Provided that its cybersecurity plan conforms to a certain framework, a company may invoke a “safe harbor defense” in Ohio to a cause of action that alleges a failure to implement reasonable IT security controls that resulted in a data breach.
In order to qualify for this legal defense, the business must implement a written cybersecurity plan that clearly does the following:
- Protects the security and confidentiality of personal information;
- Protects against anticipated threats or hazards to the security or integrity of personal information; and
- Protects against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or fraud.
This is not a one-size-fits-all type of plan. It may be based on a company’s size, the nature and scope of its activities, the sensitivity of any personal information protected under the cybersecurity program, and the cost and availability of tools to improve IS and reduce vulnerabilities.
The one thing that any cybersecurity program must do, however, is “substantially comply” with one of eight industry-recognized frameworks, which include:
- Center for Internet Security’s Critical Security Controls for Effective Cyber Defense;
- Federal Information Security Modernization Act;
- Federal Risk and Authorization Management Program’s Security Assessment Framework;
- Gramm-Leach-Bliley Act’s Safeguards Rule;
- Health Information Technology for Economic and Clinical Health Act;
- International Organization for Standardization (ISO)/International Electrochemical Commission’s (IEC) 27000 Family – Information Security Management Systems Standards; and
- National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.
The Act does not provide companies with blanket immunity to a data breach lawsuit, and businesses do still have the burden of proving that their cybersecurity program complies with the law’s requirements. But as long as a business can establish compliance, the Act gives it an affirmative defense to tort actions (including invasion of privacy and negligence) that it might be facing following a data breach that involves personal or restricted information.
As we advise clients time and again, no-one is immune from the threat of a data breach, and companies should approach data security as a question of when a breach will happen, not if. The new Act will give Ohio businesses an advantage if they take the time to evaluate things like what data they create, maintain, or share, and create a cybersecurity program that is appropriate for their company.