A first-of-its-kind data security law, the recently enacted Ohio Data Protection Act1 may signal the beginning of a new trend in the legal approach to corporate cybersecurity obligations. At the same time, it may provide some assistance to businesses struggling to ensure that they have implemented legally required data security.
Titled “An Act . . . to provide a legal safe harbor to covered entities that implement a specified cybersecurity program . . . ” the Ohio Data Protection Act took effect on November 1, 2018 and introduces two very important concepts relevant to cybersecurity compliance:
The Act applies to any business that accesses, maintains, communicates, or processes “personal information” and/or “restricted information.” Those terms are defined as follows:
To obtain the benefit of the affirmative defense, a business must “create, maintain, and comply with a written cybersecurity program” that satisfies three requirements. The cybersecurity program must:
Businesses that meet these requirements are entitled to an affirmative defense to any cause of action sounding in tort brought under the laws of Ohio or in the courts of Ohio alleging that the failure to implement reasonable information security controls resulted in a data breach concerning personal information, or restricted information.6
The “industry-recognized cybersecurity frameworks” that qualify for the safe harbor under the Act (and to which an organization’s cybersecurity program must “reasonably conform”) are the following:For all businesses:
For regulated businesses:
This approach appears to recognize that cybersecurity programs based on any of the foregoing provide “reasonable security,” and that providing “reasonable security” is a defense in the case of a breach.
This Ohio statute is the first cybersecurity law providing an express safe harbor for entities that exercise “reasonable security”. However, it should be noted that a few years ago the California Attorney General released a report setting forth what might be described as a reverse safe harbor – i.e., if you don’t take certain steps, then you will be deemed not to have provided legally compliant reasonable security.In the “California Data Breach Report 2012 – 2015,”14 the California Attorney General referenced the requirement under California law that businesses implement “reasonable” security,15 and noted that the Center for Internet Security’s Critical Security Controls for Effective Cyber Defense (the Controls)16 are designed to address this challenge.17 But then the Report went further, stating that failure to implement those Controls constitutes a lack of reasonable security. Specifically, the Report states that:
The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.18
It is unclear whether either the safe harbor approach adopted by the Ohio statute or the so-called reverse safe harbor approach promoted by the California Attorney General will gain traction. But as businesses struggle with the issue of defining “reasonable security,” we can probably expect to see more law and regulation along these lines.
1 ORC 1354 et seq.
2 ORC 1354.01(D); 1349.19.
3 ORC 1354.02(A) (emphasis added)
4 ORC 1354.02(B)
5 ORC 1354.02(C)
6 ORC 1354.02(D)
7 NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (April 16, 2018); available here.
8 NIST SP 800-171, Rev. 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (December 2016); available here.
9 NIST SP 800-53, Rev 5, “Security and Privacy Controls for Information Systems and Organizations, (August 2017); available here.
10 NIST SP 800-53A, Rev 4, Assessing Security and Privacy Controls in Federal Information Systems and Organization (December 18, 2014); available here.
11 FedRAMP Security Assessment Framework, Ver. 2.4 (November 15, 2017); available here.
12 CIS Controls, available here.
13 ISO/IEC 27000 Family of Information Security Standards
14 California Data Breach Report 2016, California Attorney General (February 2016), at p. 27-34.
15 See Cal. Civ. Code § 1798.81.5(b), (“A business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”)
16 The CIS Critical Security Controls for Effective Cyber Defense, Version 6, October 15, 2015, available from the Center for Internet Security. Formerly known as the SANS Top 20, the Controls are now managed by the Center for Internet Security (CIS), a non-profit organization that promotes cybersecurity readiness and response by identifying, developing, and validating best practices.
17 Id, at p. 30.
18 Id. (emphasis added).
Sign up for our newsletter and get the latest to your inbox.