Can Your Business Use Ohio's New Cybersecurity "Safe Harbor" Law to Prevent Litigation?
Many states have statutes that require businesses that deal with employee or customer personal information to develop and adopt a written cybersecurity program. Although laws vary by state, the general trend has been for businesses and other entities to adopt some sort of industry-recognized framework to protect its personal information. Although this includes protecting information from third-party hackers, it also extends to protecting data from more common cyber-threats caused by careless or malevolent employees. Businesses operating in the expanding Internet of Things (IoT) space have even more information to protect. Depending on the state, failure to maintain a cybersecurity program can, in itself, create a cause of action enforceable either by the state or an affected consumer. Additionally, if a business experiences a data breach and has not complied with any specific cybersecurity requirements, then any resulting litigation is less defensible and more problematic.
Ohio has taken a critical step in encouraging businesses to adopt cybersecurity programs. Ohio Governor John Kasich recently signed into law the Ohio Data Protection Act (S.B. 220), which went into effect November 2, 2018. What is different about Ohio’s new law is that rather than requiring a business to create some sort of cybersecurity program, it instead incentivizes businesses to do so. If a business operating in Ohio can establish that it has a cybersecurity program in place that meets industry-recognized or statutory standards, then that business can claim an affirmative defense in Ohio courts in the event of a data breach under Ohio’s cybersecurity safe harbor. The safe harbor is limited to tort claims alleging a failure to implement reasonable information security controls that results in a data breach concerning personal information.
To be eligible for the Ohio cybersecurity safe harbor, a business must create, maintain, and comply with a written cybersecurity program that:
- Protects the confidentiality and security of the information;
- Protects against any anticipated threats or hazards to the security or integrity of the information; and,
- Protects against unauthorized access to and acquisition of personal information that is likely to result in a material risk of fraud or identity theft.
Additionally, a business must implement a cybersecurity program that reasonably conforms to one of the statute’s listed industry-recognized or statutory frameworks for cybersecurity. Further, businesses that accept credit cards must have a program that reasonable conforms with the Payment Card Industries (PCI) data security standards.
Many larger businesses likely already have some level of cybersecurity program in place. The same is hopefully true for businesses that operate in multiple states based upon many states requiring written cybersecurity programs. For Ohio small businesses, the return on investment for developing a compliant cybersecurity program has been greatly enhanced by this new law. Importantly, the new law considers various factors in determining whether a business’s cybersecurity program qualifies for the Ohio cybersecurity safe harbor. The factors considered include the size and resources of the business, complexity of the business, the cost of improving the security program, and the sensitivity level of the data maintained by the business. In other words, while a large multi-state or multi-national business might need a more robust level of security protocols in place to qualify for the safe harbor, a small business that deals with a limited amount of personal information and has limited resources would have a lower burden in comparison.
The take away is that all businesses that deal with employee or customer personal information should have some sort of legitimate cybersecurity program in place. If it is not already required by your jurisdiction, that is definitely the recent national trend. Ohio has simply provided an additional incentive for businesses to implement such cybersecurity programs. Whether a business implements a program to comply with a statutory requirement, to qualify for the Ohio cybersecurity safe harbor, or simply to increase its ability to withstand scrutiny in the event of a data breach, the bottom line is that all businesses are advised to take such action.
For assistance in developing a compliant cybersecurity program, feel free to contact William Barath. Bill counsels clients on employment-related data security and IoT issues. Stephen counsels clients on data protection and privacy compliance.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.