Ride the Lightning

Ohio Enacts Law Giving Affirmative Defense to Businesses Which Beef Up Cybersecurity

August 8, 2018

Columbus Business First reported on August 3^rd that Ohio Governor John Kasich had signed into law a bill that aims to prod businesses to beef up security by giving companies something of a "safe harbor" if they voluntarily invest in better cybersecurity to protect customer information.

The Ohio Data Protection Act provides an affirmative legal defense for companies that suffer a data breach who are then sued for not implementing reasonable security protocols.

Eligible organizations may rely on conformity to certain cybersecurity frameworks as an affirmative defense against tort claims in data breach litigation.

To qualify for this new defense, the organization must implement a written cybersecurity program designed to (1) protect the security and confidentiality of personal information, (2) protect against anticipated threats or hazards to the security or integrity of personal information, and (3) protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or fraud. The scale of the cybersecurity program should be appropriate to the organization based on its size and complexity, the nature and scope of its activities, the sensitivity of the personal information protected under the program, the cost and availability of tools to improve its information security and the resources available to the organization.

This is a good recognition that one size does not fit all, but makes conforming to the safe harbor more difficult to establish.

Additionally, the organization's cybersecurity program must "reasonably conform" to one of the following cybersecurity frameworks:

National Institute of Standards and Technology's (NIST) Cybersecurity Framework;

NIST special publication 800-171, or 800-53 and 800-53a;

Federal Risk and Authorization Management Program's Security Assessment Framework;

Center for Internet Security's Critical Security Controls for Effective Cyber Defense;

International Organization for Standardization (ISO)/International Electrotechnical Commission's (IEC) 27000 Family – Information Security Management Systems Standards.

For organizations that accept payment cards, their cybersecurity programs must also comply with the Payment Card Industry's Data Security Standards (PCI-DSS) to qualify for the affirmative defense. Similarly, organizations subject to certain state or federally mandated security requirements may also qualify, such as the security requirements in the Health Insurance Portability and Accountability Act (HIPAA), Title V of the Gramm-Leach-Bliley Act (GLBA), the Federal Information Security Modernization Act (FISMA), or the Health Information Technology for Economic and Clinical Health Act (HITECH).

The legislation expressly states that it does not "create a minimum cybersecurity standard that must be achieved" or "impose liability upon businesses that do not obtain or maintain practices in compliance with the act." Rather, it seeks "to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action."

The striking part is that this law is the first in the nation to offer an affirmative defense to companies that implement certain cybersecurity controls.

In general, I like the idea of this approach, though it may prove hard for some companies to prove that, say, they confirm to the NIST Cybersecurity Framework which doesn't have a standard certification process. The Doubting Thomas side of me also worries also that some companies are given certifications when they are not truly in compliance. But it is certainly an interesting experiment.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson