Ohio law creates cybersecurity 'safe harbor' for businesses

Businesses showing good faith by modeling their cybersecurity after an approved framework will have legal protection under Ohio's Data Protection Act.

ohioistock-517524384fotoguy22.jpg
Image: fotoguy22, Getty Images/iStockphoto

Businesses in the US will be interested in a ground-breaking Ohio law that became official on November 2, 2018. The state's Data Protection Act provides business owners a defensive position when accused of failing to implement adequate cybersecurity protections.

"Importantly, the new law does not create a minimum cybersecurity standard in Ohio or new cybersecurity regulations that businesses must follow," writes Mary Grob, of McGuireWoods LLP, in the JD Supra article New Cybersecurity Law Offers Safe Harbor Against Tort Claims. "Rather, the law operates by incentivizing businesses to develop and maintain a cybersecurity program that 'reasonably conforms' to an already existing, industry-recognized cybersecurity framework."

Grob continues, "If the company can prove that it had a compliant cybersecurity program in place at the time of a breach, the company can use the program's existence as an affirmative defense to certain tort claims."

SEE: IT physical security policy (Tech Pro Research)

According to Wikipedia, a tort claim refers to:

"In common-law jurisdictions, a tort is a civil wrong that causes a claimant to suffer loss or harm resulting in legal liability for the person who commits the tortious act."

According to FindLaw.com, in order to win a negligence case (suffer loss or harm), the plaintiff (the person injured) must prove the following four elements to show the defendant (the person allegedly at fault) acted negligently:

  • The defendant owed a legal duty to the plaintiff under the circumstances
  • The defendant breached that legal duty by acting or failing to act in a certain way
  • It was the defendant's actions (or inaction) that actually caused the plaintiff's injury
  • The plaintiff was injured as a result of the defendant's actions

Compliant frameworks under the Ohio law

Under the Data Protection Act, compliant frameworks include:

  • National Institute of Standards and Technology (NIST) Cybersecurity Framework
  • NIST Special Publications 800-53, 800-53A, or 800-171
  • Federal Risk and Authorization Management Program Security Assessment Framework
  • Center for Internet Security Critical Security Controls for Effective Cyber Defense
  • International Organization for Standardization / International Electrotechnical Commission's 27000 Family - Information Security Management Systems
  • Health Insurance Portability and Accountability Act of 1996 Security Rule
  • Health Information Technology for Economic and Clinical Health Act
  • Title 5 of the Gramm-Leach-Bliley Act of 1999
  • Federal Information Security Modernization Act of 2014
  • Payment Card Industry Standard combined with another listed framework

"The law allows businesses to determine the appropriate framework to follow based on the individualized needs of the business," states Grob in her JD Supra article. The Ohio law also requires the cybersecurity program in question be adequate when considering:

  • Size and complexity of the covered entity
  • Nature and scope of the activities of the covered entity
  • Sensitivity of the information protected
  • Cost and availability of tools to improve information security and reduce vulnerabilities
  • Resources available to the covered entity

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

The law may be lacking

Victoria Hudgins, in her Law.com article How Will Ohio's New 'Safe Harbor' Breach Law Affect Enterprises?, interviewed attorneys in Ohio about the effectiveness of the new law. As one might expect, some attorneys found it lacking.

"The problem is none of these standards are fixed in stone; there's no certification attached," said Frances Floriano Goins, the Cleveland, OH-based co-chair of Ulmer and Berne's cybersecurity and privacy group. "The standard says a lot regarding the generalization of what is required but not the specifics of what they must contain."

"A covered entity will have the burden of proof to demonstrate that it meets all three eligibility requirements," wrote Baker & Hostetler attorneys Brian Bartish and Craig Hoffman regarding the new law, on the firm's Data Privacy Monitor. "There is a big difference between writing a cybersecurity plan and actually implementing it correctly at the start, let alone demonstrating compliance with the program requirements at the time of a security incident."

Incentive or not?

Of interest to everyone is whether the new law will be incentive enough for companies to meet the requirements of an appropriate compliant framework. According to Hudgins, lawyers she interviewed said large companies are already complying with industry-specific and recognized frameworks for data security and breach prevention; the new law might help motivate smaller companies to comply.

"Historically, data breach laws were used to punish companies, but this Ohio law differs because it provides safe harbors," David Zetoony, Bryan Cave's global data privacy and security practice lead, tells Hudgins. "From a litigation standpoint the effect is minimal. However, the Ohio legislation may start a wave of similar state regulations."

Other states may follow

Cleveland-Marshall College of Law professor Brian Ray, who served on a subcommittee that assembled the Ohio legislation agrees with Zetoony, told Hudgins that the committee intended to provide an incentive to companies and raise the bar for combating cyber breaches.

Ray added, "If more states follow it, it may move the needle."

In this litigation-prone world, having a cybersecurity safe harbor appears to be a good idea.

Also see