Ohio Data Protection Act

For businesses who implement security measures, Ohio becomes the first state in the nation to implement a law that affords a data breach safe harbor - the Ohio Data Protection Act.Not a week goes by without hearing about a new data breach. It’s becoming common knowledge that companies, both small and large, are facing the tough reality that it is no longer a matter of if, but really when a company will be affected by a data breach.
Over the years, lawmakers have struggled with constructing effective methods to strengthen the cybersecurity of organizations without mandating one-size-fits-all requirements, which makes it challenging. At the beginning of November, Senate Bill 220, also known as the Ohio Data Protection Act, was enacted into law in the state of Ohio—which represents the first law that accomplishes that goal.
Today’s RiskBusiness entities are prime targets…and victims, of computer-network penetration and data theft. In addition to hackers, businesses also face significant threats originating from inside the organization as well.
Data breach incidents have increased in recent years both in frequency and severity. Attacks are becoming more sophisticated – from ransomware to phishing attacks, identify and data theft and more. Often, the financial consequences of a data breach are catastrophic especially considering the cost of potential downtime for the business. In addition to the loss of time and money caused by a breach, reputation is also another factor that is affected. Businesses may choose to steer clear of utilizing a vendor or partner who has had a significant breach.
The easiest way to get in front of a breach and work to prevent one from happening is to have a strategy in place to protect your business. Now, with the help of Ohio’s new Data Protection Act, there are even legal incentives for putting those safeguard policies in place.  
What is the Ohio Data Protection Act?To incentivize companies to adopt appropriate cybersecurity protections, Ohio enacted the Data Protection Act (DPA). Specifically, the law gives companies a safe harbor against data breach claims for companies who implement, maintain, and comply with one of several industry-recognized cybersecurity programs.
The major benefit of being a compliant business is the new affirmative defense to legal claims that frequently result from cybersecurity breaches. In the event of an attack, a DPA compliant business can assert DPA compliance as a defense to any claim resulting from the breach, which could save businesses from the costs of court judgments and prolonged litigation. This way, companies can use compliance with an established, credible, written policy as a shield against cybersecurity claims in the state of Ohio.
Included in the text of the DPA, it states the act does not “create a minimum cybersecurity standard that must be achieved” or “impose liability upon businesses that do not obtain or maintain practices in compliance with the act.” Instead, the DPA endeavors “to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.”
How to QualifyIn order to qualify for the safe harbor (Senate Bill 220), a business must implement a written cybersecurity program that:

• Protects the security and confidentiality of personal information
• Protects against anticipated threats or hazards to the security or integrity of personal information
• Protect against unauthorized access to and acquisition of data

The scale and scope of the company’s cybersecurity program should be based on these factors:

1. The company’s size and complexity
2. The nature and scope of its activities
3. The sensitivity of the personal information maintained by the company
4. The cost and availability of tools to improve information security
5. The resources available to the company

The Act also requires each cybersecurity program to “reasonably conform” to one of the following frameworks:

• National Institute of Standards and Technology’s (NIST) Cybersecurity Framework
  • NIST Special Publication 800-171 or Special Publications 800-53 and 800-53a
• Federal Risk and Authorization Management Program’s (FedRAMP) Security Assessment Framework
• Center for Internet Security’s Critical Security Controls for Effective Cyber Defense
• International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) 27000 Family – Information Security Management Systems Standards
• For businesses that accept payment cards – must also comply with the Payment Card Industry’s Data Security Standards (PCI-DSS) in addition to one of the frameworks listed above

The DPA is the first law in the country to provide incentives to businesses to implement certain cybersecurity controls through the utilization of an affirmative defense to liability in the wake of a data breach. With that said, these laws will be a work in progress. The act does not provide any additional information yet, regarding how a company can successfully establish that its cybersecurity plan “reasonably conforms” with one of the listed frameworks. However, this cybersecurity law is a new opening for organizations of all sizes who want to limit their liability in case of a data breach, and this work is still providing great value to companies – you can’t go wrong with making the effort to be more secure in your business and establish better policies.