Ohio Substitute Senate Bill 220, 132nd Gen. Assemb. (Ohio 2018) bill hosted by The Ohio Legislature.
On August 3, 2018, Governor John Kasich signed the Ohio Data Protection Act (“Act”) into law. The Act will go into effect on November 2, 2018. A product of Ohio Attorney General, Mike DeWine’s, CyberOhio Initiative, the Act introduces an incentive-based compliance mechanism to encourage “covered entities”—essentially any business that “accesses, maintains, processes, or communicates” personal or restricted information—to implement effective cybersecurity policies. By adopting industry cybersecurity standards specified in the Act, businesses gain a legal “safe harbor.” Specifically, this “safe harbor” entitles businesses to an affirmative defense against any tort actions that allege failure to implement adequate information security controls, resulting in data breaches of personal information.
Compliance with the Act is completely voluntary. Businesses face no requirements; the legal incentive of increased protection against lawsuits is intended to be sufficient to induce businesses to comply. This approach is unique. Not all states have cybersecurity laws, and those that do tend to adopt punitive approaches toward businesses that fail to comply with their laws. By taking a voluntary approach to compliance, Ohio wagers that businesses will help it accomplish its goals by seeing clear benefits, as opposed to legally-enforced penalties, in compliance.
The goal of Ohio’s Act is to incentivize businesses to introduce cyber security regimes that “(1) Protect the security and confidentiality of the information; (2) Protect against any anticipated threats or hazards to the security or integrity of the information; (3) Protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates” (Act). Given recent high-profile data security breaches which have generated significant litigation, Ohio’s legislation appears particularly timely.
Businesses have some leeway in implementing effective information security standards. In implementing their standards, businesses must protect the security of information, protect against anticipated threats to the security of information, and protect against unauthorized access to information that is likely to result in identity theft or other fraud. Ultimately, the business can achieve these requirements by “reasonably[ly] conform[ing]” to one of the following information security frameworks:
- Center for Internet Security’s Critical Security Controls;
- Federal Risk and Authorization Management Program;
- International Organization for Standardization/International Electrotechnical Commission’s 27000 Family - Information Security Management Systems;
- National Institute of Standards and Technology (NIST) Cybersecurity Framework;
- NIST Special Publication 800-171, 800-53, or 800-53a.
If a business is regulated by, and complies with, certain other state and/or federal government frameworks, it may also satisfy the terms of the Act. These frameworks include:
- Federal Information Security Modernization Act of 2014;
- Health Insurance Portability and Accountability Act of 1996;
- Health Information Technology for Economic and Clinical Health Act;
- Title V of the Gramm-Leach-Bliley Act of 1999.
Finally, if a business processes payment cards, it must comply with Payment Card Industry (PCI) standards—specifically, the PCI Data Security Standard—to qualify for the affirmative defense.
The particular design of the cyber security program will vary by business, taking into account a business’s “size and complexity,” “nature and scope of activities,” “sensitivity of information,” “cost and availability of tools to improve security,” and “resources available to the covered entity” (Act). Thus, a smaller business will face different threshold requirements for implementing an effective cyber security regime than a larger business.
Although other factors—such as consumer concern over cybersecurity and costly lawsuits—may motivate businesses to improve their information security mechanisms, the affirmative defense offered by the Act provides a strong additional incentive. Still, the voluntary nature of Ohio’s Act provides no guarantee of companies’ compliance. Business’ resistance to mandatory information security regulation elsewhere attests to the likely impact of compulsory schemes.
The Act pioneers a creative solution to information security issues. Its model promotes State objectives while simultaneously offering businesses an opportunity to protect consumers and thereby gain increased legal protection.