Starting today, Ohio businesses with written cybersecurity programs will be looking for a free pass if they are sued under state law over a data breach.
Ohio’s Data Protection Act (Senate Bill 220, Ohio Rev. Code § 1354.01, et seq.) goes into effect today, creating a safe harbor from tort liability for businesses that meet specific cybersecurity standards. The law won’t prevent litigation over a data breach, but provides an affirmative defense to companies hit with such claims if they have met the requirements of the new law. This includes adopting data security policies that conform to a number of existing industry standards including the NIST Cybersecurity Framework.
The law grew out of the Ohio Attorney General’s CyberOhio Initiative, a collection of cybersecurity initiatives aimed at helping Ohio’s businesses fortify themselves again cyber-attacks. Accompanying the law, Ohio’s Attorney General said that “Ohioans can be confident that their personal information will be better protected” and that “companies have even more incentive to invest in strong cyber security controls.”
Whether the state’s vision for the law will be achieved is an open question.
“The purpose of this act,” reads the legislation, “is to establish a legal safe harbor to be pled as an affirmative defense to a cause of action sounding in tort that alleged or relates to the failure to implement reasonable information security controls, resulting in a data breach. The safe harbor shall apply to all covered entities that implement a cybersecurity program that meets the requirements of this act.”
To benefit from the new law, businesses must jump through two hoops: they must be a “business” – a broadly defined term that includes nonprofits “organized, chartered, or holding a license authorizing operations” under the laws of any state or country. And, the business must be a “covered entity,” basically any business that “accesses, maintains, processes, or communicates” personal or restricted information.”
Requirements of the Law
To take advantage of Ohio’s safe harbor, a business must put in place a cybersecurity program that satisfies three requirements:
- The program must be designed to protect the security and confidentiality of personal information;
- It must protect against any anticipated threats or hazards to the security or integrity of personal information; and,
- It must protect against unauthorized access to and acquisition of personal information.
The Ohio law makes clear that there is no a “one-size-fits-all” solution but that an organization’s cybersecurity program “does not, and is not intended to, create a minimum cybersecurity standard that must be achieved, nor shall it be read to impose liability upon businesses that do not obtain or maintain practices in compliance with the act.”
As a benchmark, the statute says that an organization’s cybersecurity plan must “reasonably conform” to one of the following cybersecurity frameworks including NIST, the Federal Risk and Authorization Management Program Security Assessment Framework; Center for Internet Security’s Critical Controls for Effective Cyber Defense; or the International Organization’s for Standardization/International Electrotechnical Commission’s 27000 Family – Information Management Systems.
Alternatively, businesses already subject to state or federally mandated requirements may also qualify for the safe harbor if they conform with the security requirements set forth in the Healthcare Insurance Portability and Accountability Act of 1996 or HIPPA; Title V of Gramm-Leach Bliley Act of 1999; the Federal Information Security Modernization Act of 2014 or the Health Information Technology for Economic and Clinical Health Act.
Companies that accept credit card payments must also comply with the Payment Card Industry’s Data Security Standards to qualify for the affirmative defense.
Safe Harbor Limits
The Ohio law doesn’t create blanket immunity but only an affirmative defense to tort claims brought against businesses that suffer a data breach. The business, however, maintains the burden of proof of showing that its cybersecurity program complies with the new Ohio law. The safe harbor is limited in scope and doesn’t apply – at least by its terms – to non-tort claims such as contractual disputes between vendors or customers when contract terms are at issue.
Ohio’s law is but a first-step toward creating incentives for businesses to up their cybersecurity hygiene. While the scope of the law is limited to tort claims brought under state law or in Ohio courts, it will be of limited utility when plaintiffs bring nationwide class actions lawsuits.
Additionally, because a defendant isn’t given carte blanche under the new law but only an affirmative defense, certain burdens of litigation remain. The business will still likely need to go through discovery and motion practice and ultimately will need to prove that it took reasonable compliance steps – most likely a subjective standard based on particular facts and circumstances – by putting in place a reasonable cybersecurity compliance regime.
Robust cybersecurity programs are a must in today’s environment – with or without the Ohio law. At minimum, the new law will provide Ohio companies will an incentive to implement or upgrade existing cybersecurity programs – which will be useful in demonstrating compliance in either a litigation or regulatory context.