For businesses who implement security measures, Ohio becomes the first state in the nation to implement a law that affords a data breach safe harbor - the Ohio Data Protection Act.Not a week goes by without hearing about a new data breach. It’s becoming common knowledge that companies, both small and large, are facing the tough reality that it is no longer a matter of if, but really when a company will be affected by a data breach.
Over the years, lawmakers have struggled with constructing effective methods to strengthen the cybersecurity of organizations without mandating one-size-fits-all requirements, which makes it challenging. At the beginning of November, Senate Bill 220, also known as the Ohio Data Protection Act, was enacted into law in the state of Ohio—which represents the first law that accomplishes that goal.
Today’s RiskBusiness entities are prime targets…and victims, of computer-network penetration and data theft. In addition to hackers, businesses also face significant threats originating from inside the organization as well.
Data breach incidents have increased in recent years both in frequency and severity. Attacks are becoming more sophisticated – from ransomware to phishing attacks, identify and data theft and more. Often, the financial consequences of a data breach are catastrophic especially considering the cost of potential downtime for the business. In addition to the loss of time and money caused by a breach, reputation is also another factor that is affected. Businesses may choose to steer clear of utilizing a vendor or partner who has had a significant breach.
The easiest way to get in front of a breach and work to prevent one from happening is to have a strategy in place to protect your business. Now, with the help of Ohio’s new Data Protection Act, there are even legal incentives for putting those safeguard policies in place.
What is the Ohio Data Protection Act?To incentivize companies to adopt appropriate cybersecurity protections, Ohio enacted the Data Protection Act (DPA). Specifically, the law gives companies a safe harbor against data breach claims for companies who implement, maintain, and comply with one of several industry-recognized cybersecurity programs.
The major benefit of being a compliant business is the new affirmative defense to legal claims that frequently result from cybersecurity breaches. In the event of an attack, a DPA compliant business can assert DPA compliance as a defense to any claim resulting from the breach, which could save businesses from the costs of court judgments and prolonged litigation. This way, companies can use compliance with an established, credible, written policy as a shield against cybersecurity claims in the state of Ohio.
Included in the text of the DPA, it states the act does not “create a minimum cybersecurity standard that must be achieved” or “impose liability upon businesses that do not obtain or maintain practices in compliance with the act.” Instead, the DPA endeavors “to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.”
How to QualifyIn order to qualify for the safe harbor (Senate Bill 220), a business must implement a written cybersecurity program that:
About The Author: With over twenty-five years experience, Pat Thompson, CPCU, is a respected veteran of the property and casualty insurance industry. His commercial lines underwriting experience and independent agency ownership make him qualified to properly mitigate risk of any business.