On December 19, 2018, former Ohio Governor John Kasich signed into law Substitute Senate Bill Number 273 (“SSB 273”). The bill creates new provisions of the Ohio Revised Code, sections 3965.01 through .11, which, in summary, require insurance companies and others who are or who are required to be licensed, authorized, or registered pursuant to the insurance laws of Ohio (collectively, “Covered Entities,” also known as “Licensees”) to develop, implement, and maintain comprehensive cybersecurity protocols or “information security programs” to monitor, detect, investigate, and rectify computer data breaches.
Legislative Trend Nationwide
SSB 273 is modeled after the Insurance Data Security Model Law of the National Association of Insurance Commissioners (“NAIC”), which the NAIC approved in 2017. To date, it appears that Ohio is only the second state after South Carolina to adopt a version of the Model Law. The bill follows on the heels of the Ohio Data Protection Act signed into law one month prior (Senate Bill 220, enacting Ohio Revised Code sections 1354.01 through .05), which, in turn, provides an affirmative defense for businesses sued for data breaches if they created, maintained, and complied with cybersecurity programs that conform to certain standards.
A Single-Standard Framework in Which the Details May Vary
SSB 273 sets forth the exclusive information security standards for Covered Entities under Ohio law. But the standards are not “cookie-cutter.” Although the law sets forth a uniform framework, each Covered Entity must develop its own information security program based on an individualized risk assessment that results in a program commensurate with the size, nature, and complexity of that Covered Entity and its information. Therefore, not only is it important for a Covered Entity to have an adequate information security program, but it is also important for the Covered Entity to have a reasoned basis for it.
Although the requirements of the law are outlined in lengthy detail, the standard framework includes the following:
- Designate one or more persons or entities to act on behalf of the Covered Entity to be responsible for the information security program;
- Identify reasonably foreseeable internal or external threats to the Covered Entity’s information systems;
- Assess the risks of the reasonably foreseeable internal or external threats to the Covered Entity’s information systems;
- Assess the sufficiency of the Covered Entity’s existing information systems, policies, and procedures;
- Design and implement an information security program to mitigate the identified risks and meet the requirements of the law; and
- Reassess the effectiveness of the information security program at least once a year.
Covered Entities also are required to exercise due diligence in selecting third-party service providers; and Covered Entities must require any retained third-party service provider to implement its own adequate information security programs to protect the Covered Entity’s information and systems to which the third-party service provider has access.
Reporting, Auditing, and Certification
Any data breaches must be reported to the superintendent of insurance; and the law empowers the superintendent of insurance to audit Covered Entities for compliance with the requirements of the law. These obligations are in addition to the data breach reporting requirements set forth in Ohio Revised Code section 1349.19. Furthermore, insurers domiciled in Ohio are uniquely required to certify with the superintendent of insurance on an annual basis that they are in compliance with the requirements of the law.
Timing for Compliance
All Covered Entities have one year to meet the bulk of SSB 273’s requirements and two years to meet the due diligence and oversight obligations in connection with third-party service providers. It is important to note for anyone who sits on a board of directors for a Covered Entity or who is a member of executive management of a Covered Entity that the law expressly places responsibility on them to ensure that the requirements of the law are met.
Effect of Compliance
Compliance with SSB 273 satisfies the standards under the Ohio Data Protection Act and triggers the “safe harbor” provision of that law. In other words, compliance with SSB 273 constitutes an affirmative defense for Covered Entities in civil lawsuits alleging harm caused by a data breach because of a failure to implement reasonable information security controls. In short, compliance renders an information security program for Covered Entities adequate as a matter of law.
Much of the information obtained by the department of insurance pursuant to SSB 273’s reporting and certification provisions, as well as information obtained by, created by, or disclosed to the superintendent of insurance in the course of auditing or investigation Covered Entities, is deemed confidential and privileged. Documents containing such information do not constitute “public records” under Ohio law for purposes of public records requests and are not subject to subpoena; and the information is not subject to discovery or admissible in evidence in any private civil action. That said, the superintendent of insurance may use the information in the course of regulatory or legal actions brought as part of its duties.
Covered Entities are exempt from SSB 273’s requirements for developing, implementing, and maintaining a comprehensive information security program if they have fewer than twenty employees; or if they have less than five million dollars in gross annual revenue; or if they have less than ten million dollars in assets as measured at the end of their fiscal year. Also exempt are employees, agents, representatives, independent contractors, and designees of Covered Entities, who themselves qualify as Covered Entities but who are covered under the information security programs of their principals. Such persons and entities are not, however, exempt from other aspects of the law, including the requirements of investigating and reporting data breaches and being subject to audit by the superintendent of insurance.
Even if exempt, it is important to remember that a business, just as anyone else, is still required to conduct itself with due care. The lack of an adequate information security program could expose a business to civil liability for a data breach. Therefore, even exempt persons and entities should read SSB 273 and its new statutory provisions closely and carefully. Although it sets standards for only Covered Entities, it provides guidance on what a legally sound information security program could otherwise look like under Ohio law.