Ohio’s Data Protection Act becomes effective November 2, 2018
Ohio’s incentive for businesses to actively create, maintain and comply with cybersecurity programs becomes effective November 2, 2018. Senate Bill 220, also known as the Data Protection Act, will amend Ohio Revised Code Sections 1306.1 and 3772.01 and enact Chapter 1354, and will encourage businesses to comply with an industry-recognized cybersecurity framework. Those who do, may use such compliance as an affirmative defense to any tort action arising out of an alleged failure to implement reasonable information security controls.
Personal and Restricted Information
The safe harbor defense is available not only for those actions based on an alleged breach of personal information, but restricted information as well. Personal information is defined as the connection of a person’s name with another identifier such as their Social Security number, driver’s license or state identification number, or a financial account number. Businesses are currently required to disclose data breaches involving personal information under O.R.C. § 1349.19.
Restricted information is much broader in that it includes “any information about an individual, other than personal information, that, alone or in combination with other information, can be used to distinguish or trace the individual’s identity or that is linked or linkable to an individual”. Consider information such as email addresses, member ID numbers, or PINs being released without any connection to the individual’s name. The inclusion of restricted information in O.R.C. Chapter 1354 gives businesses an opportunity to demonstrate compliance even if the information affected is not of a nature which would trigger the disclosure requirements of O.R.C. § 1349.19.
To be eligible for the affirmative defense, the cybersecurity program must 1) protect the security and confidentiality of the information; 2) protect against any anticipated threats or hazards to the security or integrity of the information; and 3) protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.
As this safe harbor provision is available to businesses of all sizes, Ohio legislators have recognized that a “one size fits all” approach is not appropriate when it comes to evaluating a cybersecurity program. Whether the scale and scope of a cybersecurity program is appropriate will depend on a number of factors, including the business’s size and complexity, the nature and scope of its activities, the sensitivity of the information to be protected, the cost and availability of tools to improve information security and vulnerabilities, and the resources available to the business.
An eligible business will create, maintain, and comply with at least one of multiple frameworks identified in the legislation, including frameworks developed by the National Institute of Standards and Technology (NIST), the Center for Internet Security Controls for Effective Cyber Defense, the security requirements of HIPAA, and the Payment Card Industry Data Security Standard (PCI DSS).
These programs contain administrative, technical and physical safeguards as required under O.R.C. Chapter 1354. Administrative safeguards address security and information management, incident procedures, and contingency plans, among other items. Technical safeguards include controls on access, audits, and integrity. Finally, physical safeguards relate to who physically accesses the information and how the information is used.
A business complies with one of the identified frameworks so long as it updates its own program within one year of any revisions to the framework itself.
Implementation and Looking Forward
A compliant cybersecurity program will touch on every aspect of a business and should influence employee training, vendor selection and agreements, and top-to-bottom evaluation of access to information.
Vendors should be able to provide information as to their own cybersecurity measures and policies. Employees should be made aware of your cybersecurity program, and they should be trained in its procedures as much as they are in the day-to-day operations of your business. Finally, there should be an ongoing evaluation as to who should have necessary access to information, what kind of information they should be able to access, and when they should be able to access the information.
Generally, cybersecurity firms differ from IT firms, and as such businesses should feel comfortable having a conversation with their current IT vendors about their ability to assist in implementing and maintaining a cybersecurity program. It may be necessary to retain a cybersecurity firm.
It is important to note that the safe harbor only provides an affirmative defense-not an absolute immunity- to tort actions. This will not apply to actions arising out of breach of contract, and the business will still need to demonstrate its compliance with its chosen framework.
Also noteworthy is the legislation’s allowance of transactions and contracts via blockchain technology, which allows transactions with cryptocurrencies such as Bitcoin to take place. While not all businesses are comfortable using these technologies, currencies like Bitcoin are increasing in use and popularity due in part to the ability to verify the legitimacy of the transaction. Ohio’s Data Protection Act gives some peace of mind to businesses who have been hesitant to participate in blockchain technology.
Ohio’s Data Protection Act encourages businesses to jumpstart their cybersecurity programs and provides them with the frameworks to do so. While there is certainly an up-front cost to implementing a cybersecurity program, the amount of data and privacy breaches in recent years makes it a worthwhile investment.
MRR is proud to announce that partner Casey C. Stansbury is a newly elected Federation of Defense and Corporate Counsel (FDCC) Board of Director for 2018-2019. He is the youngest attorney to be elected to the distinguished Board’s membership over the organization’s 80-year history.
Casey focuses his practice on insurance defense, civil rights, and governmental liability issues. He regularly counsels and represents police officers, correctional officials, municipalities, and public officials in a variety of matters including employment concerns, contract disputes, and civil rights actions. Casey has a diverse practice including the defense of employers, both public and private. In addition to his representation of public entities and officials, Mr. Stansbury has experience in handling various other types of litigation matters including cases concerning construction disputes, commercial law, and motor vehicle accidents.
Casey received the Defense Research Institute’s (DRI) 2014 Albert H. Parnell Outstanding Program Chair Award and served as the DRI Government Liability Committee Chair. He is also a newly appointed member of the National Retail and Restaurant Defense Association (NRRDA).
The FDCC is dedicated to promoting knowledge, fellowship, and professionalism of its members as they pursue the course of a balanced justice system and represent those in need of a defense in civil lawsuits. Fellows are hand-picked and are proven leaders in-house and in the courthouse. It is an elite group that drives the agenda and educates the defense legal community.
Mazanec, Raskin & Ryder Co., LPA (MRR) is proud to announce that attorney Joseph F. Nicholas, Jr. has been chosen Cleveland’s 2019 “Lawyer of the Year” in Transportation Law by Best Lawyers. Only one lawyer in each practice area from each of the major metropolitan areas in Ohio is honored as “Lawyer of the Year.” Best Lawyers compiles its lists of outstanding attorneys by conducting thousands of confidential peer-review surveys. Lawyers honored as “Lawyers of the Year” have received particularly high ratings by earning the respect of their peers for their abilities, professionalism, and integrity.
Joe is President and Managing Partner of MRR, which has offices in Cleveland and Columbus, Ohio, and Lexington, Kentucky. He has a diverse legal practice with an emphasis on handling commercial trucking (long haul and short haul) and commercial coach carrier matters. His practice also includes the defense of professionals including lawyers, accountants, doctors, dentists, architects and insurance agents and brokers throughout his career.
In addition, he has significant experience litigating bad faith claims as well as defending various third-party matters, including general liability, product liability and construction defects. Joe has an AV Preeminent rating from Martindale-Hubbell Law Directory and was also selected as a Best Lawyer in America for Transportation Law in 2018.
Prior to being named President and Managing Partner in 2012, Joe served as the firm’s Administrative Partner of its Cleveland office from 2000-2012.
Active in a number of professional organizations, he is a member of the Ohio State Bar Association; the Cleveland Metropolitan Bar Association; the Professional Liability Defense Federation (Past Chair of Insurance Agents & Brokers Committee); Claims and Litigation Management Alliance; the Trucking Industry and Defense Association; and Your House Counsel, in which he currently serves as the Group Chair.
Mazanec, Raskin & Ryder Co., LPA (MRR) is pleased to announce that nine attorneys have been named to the 2019 Edition of Best Lawyers®, the oldest and most respected peer-reviewed publication in the legal profession. Lawyers on The Best Lawyers in America© list are divided by geographic region and practice areas. They are reviewed by their peers on the basis of professional expertise.
MRR would like to congratulate the following attorneys named to the 2019 Edition of The Best Lawyers in America© list:
Todd M. Raskin (Cleveland), Civil Rights Law
John T. McLandrich (Cleveland), Civil Rights Law
Thomas S. Mazanec (Cleveland), Product Liability Litigation – Defendants
Joseph F. Nicholas, Jr. (Cleveland), Transportation Law
George V. Pilat (Cleveland), Insurance Law
Elisabeth “Lisa” Gentile (Columbus), Medical Malpractice – Defendants
Stacy V. Pollock (Columbus), Education Law
Barry M. Miller (Lexington), Commercial Litigation; Litigation – Insurance
Casey C. Stansbury (Lexington), Litigation – Insurance
About Best Lawyers®
Since it was first published in 1983, Best Lawyers® has become universally regarded as the definitive guide to legal excellence. Best Lawyers lists are compiled based on an exhaustive peer-review evaluation. Over 79,000 leading attorneys globally are eligible to vote, and we have received more than 12 million votes to date on the legal abilities of other lawyers based on their specific practice areas around the world. For the 2016 Edition of The Best Lawyers in America©, 6.7 million votes were analyzed, which resulted in more than 55,000 leading lawyers being included in the new edition. Lawyers are not required or allowed to pay a fee to be listed; therefore inclusion in Best Lawyers is considered a singular honor. Corporate Counsel magazine has called Best Lawyers “the most respected referral list of attorneys in practice.” For more information, visit bestlawyers.com.
Selected by A.M. Best, MRR’s Lexington Partner Barry M. Miller participated on August 2, 2018 in “Claims: Cyber Intruders Target the Insurance Legal Community” along with three other expert panelists from across the nation.
Click here to view and listen.
New forms of cyber exposure, including new types of fraud, disruption and cyber spoofing, threaten the relationships of insurers and outside legal counsel. Access the link above and listen to Barry and his webinar partners discuss: How firms and cyber experts are responding to the growing range of risks; Which strategies seem most popular among cyber intruders; and How insurers are developing new information-sharing strategies?