On August 3, 2018, Governor John Kasich signed Senate Bill 220, also known as the “Ohio Data Protection Act“. Unfortunately, this caused some confusion for businesses operating in Ohio, so today, we will discuss the act and how it may apply to you. This act IS NOT meant to lay forth a minimum security requirement for businesses in Ohio. In fact, the law states the following:
This act is intended to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action. The act does not, and is not intended to, create a minimum cybersecurity standard that must be achieved, nor shall it be read to impose liability upon businesses that do not obtain or maintain practices in compliance with the act.
Instead, eligible organizations may rely on their conformance to certain cybersecurity frameworks as an affirmative defense against tort claims in data breach litigation. The act is intended to provide organizations with a legal incentive to implement written cybersecurity programs.
What frameworks are considered adequate under the Act?
- National Institute of Standards and Technology (NIST) Cybersecurity Framework
- NIST Special Publications 800-53, 800-53A, or 800-171
- Federal Risk and Authorization Management Program Security Assessment Framework
- Center for Internet Security Critical Security Controls for Effective Cyber Defense
- International Organization for Standardization / International Electrotechnical Commission’s 27000 Family – Information Security Management Systems
- Health Insurance Portability and Accountability Act of 1996 Security Rule
- Health Information Technology for Economic and Clinical Health Act
- Title 5 of the Gramm-Leach-Bliley Act of 1999
- Federal Information Security Modernization Act of 2014
- Payment Card Industry Standard combined with another listed framework
Qualification for this new safe harbor will not be automatic and may be challenging to establish. It will be interesting to follow cases as they rely on this rule as part of their defense. For example, many of the specified frameworks, like NIST, do not have a standard certification process. So proving that a security program conforms to the applicable framework may prove difficult. Additionally, plenty of organizations say they adopt a standard but will “pencil-whip” their security and compliance efforts, so how much due diligence will be done to investigate organizations claiming compliance as a defense? However, given the increasing risk that cybersecurity presents for many organizations, the Ohio Data Protection Act may grant some relief if they are truly handling security the right way. Have questions? Want to explore standing up a security program based on one of the eligible frameworks? Please reach out today!