Cyberattacks are a reality that can impact even the best-prepared business. Unfortunately, corporate victims of data breaches often become the targets of litigation and governmental enforcement actions, adding costly insult to serious injury. The Ohio legislature has addressed this inequity by providing (limited) protection from private litigation to businesses that suffer a data breach despite their cybersecurity planning and execution.
Beginning November 2, 2018, businesses will have the ability to invoke a cybersecurity safe harbor provision pursuant to Ohio law (SB 220) to obtain tort-related liability protection if they suffer a data breach. Businesses can undertake simple measures to efficiently and effectively avail themselves of Ohio’s cybersecurity safe harbor.
Background on SB 220
What Does the Cybersecurity Safe Harbor Protect Against?
Pursuant to SB 220, a “covered entity” that has adopted a written cybersecurity program may raise an affirmative defense to any tort action alleging that its “failure to implement reasonable information security controls resulted in a data breach” involving either personal information or restricted information. In other words, this safe harbor will enable businesses that have implemented appropriate cybersecurity programs to counter allegations of tort liability due to a data breach. This often occurs when plaintiffs initiate negligence or privacy-related claims after their personal information is compromised in a data breach. However, the safe harbor does not protect against liability for violating contractual obligations (e.g., contractual provisions governing data protection) or alter any other obligation that a business may have to report the data breach to affected individuals, government or regulatory agencies, or any other entity.
Who Can Invoke the Safe Harbor?
SB 220 applies to a “covered entity,” which is defined as any type of business, including a nonprofit organization, that “accesses, maintains, communicates, or processes” personal or restricted information “in or through one or more systems, networks, or services.” SB 220 incorporates the definition of “personal information” from Ohio’s data breach notification law, which defines it as an individual’s name (i.e., first name or first initial and last name) linked to a Social Security number, driver’s license or state identification number, or financial account or credit card data. In contrast, the term “restricted information” means “any information about an individual, other than personal information, that, alone or in combination with other information, including personal information, can be used to distinguish or trace the individual’s identity or that is linked or linkable to an individual.”
Generally, the definitions of personal and restricted information exclude data that is unreadable (e.g., encrypted or redacted) and would not cause any harm or risk to individuals in the event that either is compromised in a data incident. SB 220 provides safe harbor only to data breaches involving electronic documents and does not provide any liability protection in the event that physical (i.e., hard-copy) documents or records are lost, stolen or otherwise compromised.
How to Qualify for the Safe Harbor?
In order to invoke the Ohio cybersecurity safe harbor provision, a business must “create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards” to protect personal information (or personal and restricted information) and that “reasonably conforms to an industry recognized cybersecurity framework.” The law identifies, among others, the following as acceptable industry recognized cybersecurity frameworks:
- The Framework for Improving Critical Infrastructure Cybersecurity - developed by the National Institute of Standards and Technology (NIST);
- NIST Special Publication 800-171;
- The Federal Risk and Authorization Management Program Security Assessment Framework;
- ISO/IEC 27000, Information Security Management Systems;
- The Health Insurance Portability and Accountability Act’s security rule; and
- The Payment Card Industry Data Security Standard.
The law provides some context to the “reasonably conforms” criterion by stating that the “scale and scope” of a covered entity’s cybersecurity program “is appropriate” if it is based on the following: the size and complexity of the covered entity; the nature and scope of the covered entity’s activities; the sensitivity of the information; the cost and availability of tools to improve information security and reduce vulnerabilities; and the resources available to the covered entity.
Strategize and Leverage Your Existing Cybersecurity Efforts
To effectively and efficiently avail themselves of Ohio’s cybersecurity safe harbor, businesses should (1) consolidate their existing cybersecurity measures, (2) identify which of the above-mentioned cyber standards set forth in SB 220 most closely aligns with their current cybersecurity program, and (3) update their cybersecurity practices to satisfy any outstanding requirements.
Consolidate Existing Cybersecurity Measures. SB 220 does not require businesses to establish any particular cybersecurity program, nor does it create new liability for failing to do so. Rather, the purpose of the law is to incentivize businesses to proactively implement cybersecurity measures to protect personal data under their control. Many businesses have already implemented some technical, physical and administrative data security measures to protect corporate data (e.g., trade secrets, protected health information, intellectual property). For example, businesses routinely use encryption protocols, firewalls and other technical programs to safeguard corporate data, as well as incident response procedures, confidentiality requirements and other administrative security measures. However, these safeguards, plans and policies may have been generated and implemented in a disparate and inconsistent manner. The safe harbor provision requires these policies be reviewed and consolidated under a unified – and written – cybersecurity program.
Identify Where Your Program Aligns. Once a business determines the scope of its existing cybersecurity program, it should compare and contrast it to the acceptable cybersecurity frameworks set forth in SB 220 to identify the framework with which it most closely aligns. Thereafter, it will be better positioned to more narrowly create and implement the remaining elements of the cybersecurity framework needed to satisfy the safe harbor provision. Separately, for businesses that are already subject to an acceptable cybersecurity framework set forth in SB 220, they may simply need to expand their existing cyber program to cover personal information in their possession. For example, businesses that have a medical benefits plan that is subject to HIPAA will have likely implemented several of the cybersecurity measures required by the HIPAA security rule. Similarly, government contractors processing defense-related information will have likely already satisfied NIST 800-171 requirements pursuant to federal acquisition regulations. If these businesses simply expand their security controls from their existing scope (e.g., protected health information, covered defense information) to address all personal information, then they would be able to rely upon Ohio’s safe harbor law.
Satisfy Outstanding Requirements. Once a business determines the acceptable cybersecurity framework with which it most closely aligns, it should implement any outstanding physical, technical and administrative measures needed in order to satisfy the framework’s remaining requirements. In addition, to ensure that a business can rely upon the safe harbor provision, it will need to establish an internal or external process to continuously monitor its cybersecurity program for compliance purposes.
Cyberattacks against the private sector continue to increase in scope and sophistication, and the Ohio law provides a valuable safe harbor to businesses that proactively build a cybersecurity program. Thompson Hine can help any business obtain safe harbor status with a Cybersecurity Legal Audit. Our Cybersecurity Legal Audit includes a comprehensive analysis of corporate cybersecurity and data privacy policies and procedures to gauge conformity with Ohio’s acceptable cybersecurity frameworks and can assist in achieving compliance in a cost-effective manner.