BreachExchange mailing list archives
INSIGHT: Getting Ready for Ohio’s New Data Protection Act
From: Destry Winant <destry () riskbasedsecurity com>
Date: Sun, 4 Nov 2018 23:27:28 -0600
https://www.bna.com/insight-getting-ready-n57982093431/ Ohio businesses that implement written cybersecurity programs may be less vulnerable to civil liability from data breaches because of the recent passage of the Ohio Data Protection Act (Senate Bill 220, Ohio Rev. Code § 1354.01, et seq.). Effective Nov. 2, 2018, the Act seeks to provide a legal safe harbor to businesses that implement a specified cybersecurity program by providing compliant businesses with an affirmative defense to tort actions brought under Ohio law or in Ohio courts. The Act’s supporters hope it will incentivize businesses to implement cybersecurity programs voluntarily, while critics have questioned whether the law’s limited scope will produce its intended effect. The Data Protection Act was initially conceived by the Ohio Attorney General’s CyberOhio Initiative, which seeks to help Ohio businesses address data security threats. When the Act was signed into law, the Attorney General issued a statement claiming that “Ohioans can be confident that their personal information will be better protected” and that “companies have even more incentive to invest in strong cyber security controls.” A closer look at the law, however, suggests little to assure the confidence promised by the Attorney General. What the Act Requires The Data Protection Act entitles a complying business “to an affirmative defense to any cause of action sounding in tort that is brought under the laws of [Ohio] or in [Ohio] courts” alleging “that the failure to implement reasonable information security controls resulted in a data breach concerning personal information.” Ohio Rev. Code § 1354.02(D). To be eligible for this affirmative defense, the business must “create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards” for the protection of personal information and “restricted” information, and that reasonably conforms to an industry-recognized cybersecurity framework. Ohio Rev. Code § 1354.02(A). The cybersecurity program must be designed to (1) protect the security and confidentiality of personal or restricted information, (2) protect against any anticipated threats or hazards to the security or integrity of such information, and (3) protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates. Ohio Rev. Code § 1354.02(B). A business seeking to take advantage of the defense will have the burden of proving that it meets all three of these eligibility requirements. Recognizing that businesses are varied in size and complexity (as well as in their activities and the types of information they process and collect) and that therefore different cybersecurity solutions may be appropriate to meet their needs, the Act further provides that the “scale and scope” of a chosen program will be appropriate if it is based on all of the following factors: the size and complexity of the covered entity; the nature and scope of the activities of the covered entity; the sensitivity of the information to be protected; the cost and availability of tools to improve information security and reduce vulnerabilities; and the resources available to the covered entity. Ohio Rev. Code § 1354.02(C). Businesses may choose among several industry-recognized frameworks in establishing their cybersecurity programs. The Act states that a business’s cybersecurity program provides the requisite protections if it “reasonably conforms” to the current version of any of the following, or any combination of the following, frameworks: - the framework for improving critical infrastructure cybersecurity developed by the National Institute of Standards and Technology (NIST); - NIST Special Publication 800-171; - NIST Special Publications 800-53 and 800-53a; - the Federal Risk and Authorization Management Program (FedRAMP) Security Assessment framework; - the Center for Internet Security Critical Security Controls for Effective Cyber Defense; or - the International Organization for Standardization/International Electrotechnical Commission 27000 Family - Information Security Management systems. Ohio Rev. Code § 1354.03(A). If a business is regulated by the State of Ohio or the federal government, or is otherwise subject to the requirements of the regulations listed below, the business’s cybersecurity program conforms to an “industry recognized cybersecurity framework” if it reasonably conforms to the current version of: - the security requirements of the Health Insurance Portability and Accountability Act of 1996; - Title V of the Gramm-Leach-Bliley Act of 1999; - the Federal Information Security Modernization Act of 2014; or - the Health Information Technology for Economic and Clinical Health Act. Ohio Rev. Code § 1354.03(B). Cybersecurity programs for businesses dealing with payment cards satisfy the requirements of the Act if they reasonably comply with both the current version of the Payment Card Industry (PCI) Data Security Standard and conform to the current version of one of the other industry-recognized cybersecurity frameworks listed above. Criticism of the Act Despite its support and passage, some have criticized the Act for a variety of reasons. First, while the Act does provide an affirmative defense to certain types of claims, it is not a defense to all claims. The affirmative defense is limited to tort claims brought under Ohio law or in Ohio courts. The Act does not provide a defense to breach of contract or statutory violations, or other non-tort claims, nor does it protect businesses from claims brought under other states’ laws or in other states. Since plaintiffs bringing nationwide class actions often have a choice of states in which to bring their claims, the defense is unlikely to be effective in such cases. Moreover, even when the affirmative defense is asserted, it would not be automatic. Rather, the business would have the burden to prove its defense, and it would ultimately be up to a judge or perhaps a jury to decide whether the defense applies. The standard of what constitutes “reasonable compliance” with an accepted cybersecurity program is subjective, since there is no certification process offered to verify compliance. Thus, to take advantage of the defense, a business will likely have to engage in expensive discovery and motion practice, and possibly even trial. Some critics have suggested that businesses, in order to obtain the requisite cybersecurity programs, will pass along the costs of implementing cybersecurity programs to customers. Others have argued that Ohio should simply require businesses to implement cybersecurity measures instead of merely incentivizing them to do so. Ultimately, time will tell whether the Act produces its intended benefits. Looking Ahead Despite the criticisms and recognized limitations of the law, businesses should assess whether compliance with the Act will nevertheless be beneficial. Robust cybersecurity programs are de rigueur in today’s online environment, offering a substantial competitive advantage for forward-looking businesses. Just as many companies have used the EU General Data Protection Regulation as a selling point to convey their commitment to protecting the personal information of customers and potential clients, Ohio companies will likely tout their compliance with the Act as a value-added benefit of doing business with them. Moreover, in case of a breach and subsequent regulatory investigation and/or litigation, any business able to demonstrate compliance with one or more recognized cybersecurity programs will surely be ahead of the curve. Furthermore, the process of implementing a cybersecurity program may serve to make an entity more aware of the issues and challenges involved in securing personal and business data for itself, its employees, and its customers. Finally, implementing a good data security program may give the business an advantage in securing appropriate cyber insurance at a reasonable cost. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- INSIGHT: Getting Ready for Ohio’s New Data Protection Act Destry Winant (Nov 05)