Ohio’s Data Protection Act becomes effective November 2, 2018
Ohio’s incentive for businesses to actively create, maintain and comply with cybersecurity programs becomes effective November 2, 2018. Senate Bill 220, also known as the Data Protection Act, will amend Ohio Revised Code Sections 1306.1 and 3772.01 and enact Chapter 1354, and will encourage businesses to comply with an industry-recognized cybersecurity framework. Those who do, may use such compliance as an affirmative defense to any tort action arising out of an alleged failure to implement reasonable information security controls.
Personal and Restricted Information
The safe harbor defense is available not only for those actions based on an alleged breach of personal information, but restricted information as well. Personal information is defined as the connection of a person’s name with another identifier such as their Social Security number, driver’s license or state identification number, or a financial account number. Businesses are currently required to disclose data breaches involving personal information under O.R.C. § 1349.19.
Restricted information is much broader in that it includes “any information about an individual, other than personal information, that, alone or in combination with other information, can be used to distinguish or trace the individual’s identity or that is linked or linkable to an individual”. Consider information such as email addresses, member ID numbers, or PINs being released without any connection to the individual’s name. The inclusion of restricted information in O.R.C. Chapter 1354 gives businesses an opportunity to demonstrate compliance even if the information affected is not of a nature which would trigger the disclosure requirements of O.R.C. § 1349.19.
To be eligible for the affirmative defense, the cybersecurity program must 1) protect the security and confidentiality of the information; 2) protect against any anticipated threats or hazards to the security or integrity of the information; and 3) protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.
As this safe harbor provision is available to businesses of all sizes, Ohio legislators have recognized that a “one size fits all” approach is not appropriate when it comes to evaluating a cybersecurity program. Whether the scale and scope of a cybersecurity program is appropriate will depend on a number of factors, including the business’s size and complexity, the nature and scope of its activities, the sensitivity of the information to be protected, the cost and availability of tools to improve information security and vulnerabilities, and the resources available to the business.
An eligible business will create, maintain, and comply with at least one of multiple frameworks identified in the legislation, including frameworks developed by the National Institute of Standards and Technology (NIST), the Center for Internet Security Controls for Effective Cyber Defense, the security requirements of HIPAA, and the Payment Card Industry Data Security Standard (PCI DSS).
These programs contain administrative, technical and physical safeguards as required under O.R.C. Chapter 1354. Administrative safeguards address security and information management, incident procedures, and contingency plans, among other items. Technical safeguards include controls on access, audits, and integrity. Finally, physical safeguards relate to who physically accesses the information and how the information is used.
A business complies with one of the identified frameworks so long as it updates its own program within one year of any revisions to the framework itself.
Implementation and Looking Forward
A compliant cybersecurity program will touch on every aspect of a business and should influence employee training, vendor selection and agreements, and top-to-bottom evaluation of access to information.
Vendors should be able to provide information as to their own cybersecurity measures and policies. Employees should be made aware of your cybersecurity program, and they should be trained in its procedures as much as they are in the day-to-day operations of your business. Finally, there should be an ongoing evaluation as to who should have necessary access to information, what kind of information they should be able to access, and when they should be able to access the information.
Generally, cybersecurity firms differ from IT firms, and as such businesses should feel comfortable having a conversation with their current IT vendors about their ability to assist in implementing and maintaining a cybersecurity program. It may be necessary to retain a cybersecurity firm.
It is important to note that the safe harbor only provides an affirmative defense-not an absolute immunity- to tort actions. This will not apply to actions arising out of breach of contract, and the business will still need to demonstrate its compliance with its chosen framework.
Also noteworthy is the legislation’s allowance of transactions and contracts via blockchain technology, which allows transactions with cryptocurrencies such as Bitcoin to take place. While not all businesses are comfortable using these technologies, currencies like Bitcoin are increasing in use and popularity due in part to the ability to verify the legitimacy of the transaction. Ohio’s Data Protection Act gives some peace of mind to businesses who have been hesitant to participate in blockchain technology.
Ohio’s Data Protection Act encourages businesses to jumpstart their cybersecurity programs and provides them with the frameworks to do so. While there is certainly an up-front cost to implementing a cybersecurity program, the amount of data and privacy breaches in recent years makes it a worthwhile investment.