Good news! The Ohio legislature has offered financial institutions some legal protections in the form of the Ohio Data Protection Act ( “Act”), effective November 2 and believed to be a first-of-its-kind state law.
This blog post surveys the Act’s implications for financial institutions, many of which may already meet the Act’s requirements or, without excessive effort, stand to benefit from “safe harbor” protections in future litigation. It will be good for your business and may help in future litigation.
Codified as Ohio Revised Code sections 1354.01 et seq, the Act applies to two types of information financial institutions necessarily obtain and use: (1) “restricted information,” which is information about an individual that, alone or in combination with other information, can be used to distinguish or trace the individual's identity; and (2) “personal information,” which is an individual's name combined with one of that individual’s social security number, driver's license number, state identification number, account number, credit card number, or debit card number.
Fortunately, the Act creates an affirmative defense for a financial institution to use if it suffers a data breach and is subsequently the target of civil tort litigation due to the improper release of restricted or personal information. To benefit from the affirmative defense, the financial institution must “create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of both personal information and restricted information,” in reasonable conformance with the standards set by in Ohio Revised Code Section 1354.02.
In my experience, most financial institutions are concerned about data security involving their customers, employees and others. Before they worry about data breach litigation, they care about data security because they know that a data breach is bad for business and protecting privacy is the proper thing to do. Given these considerations, there is no reason for a financial institution not to assess its current data security plan to see if it meets the Act’s requirements or can be reasonably modified to comply. The Act’s initial requirements in Section 1354.02 may already be met by the financial institution’s existing data security plan because those sections require that the data security plan “(i) be designed to protect the security and confidentiality of information against anticipated threats including unauthorized access by outsiders and insiders, (ii) be scaled and designed to cover the institution and varied depending on the threat [the threat of outside hackers is not the same as the threat that a teller will commit identity theft, so the plan should be tailored as appropriate], and (iii) meet certain other requirements.” If the tests in Section 1354.02 are met, the above-described affirmative defense is available.
If a financial institution wants to assert the affirmative defense without having its data security plan tested against the general standards of Section 1354.02, that institution can opt to meet the requirements of Section 1354.03. This is commonly referred to as a “safe harbor.” The legislature has determined that the data security requirements promulgated by the experts listed in Section 1354.03 automatically meet the requirements of Section 1354.02, and so the affirmative defense is available.
If a financial institution chooses to try for a safe harbor, it should assess all the security plans created by experts and listed in Section 1354.03, in order to determine which set of expert’s standards are best suited to the institution’s needs. I would also suggest that financial institutions focus on Subsection 1354.03(B)(2) because the experts listed in that section are aimed at regulated entities like financial institutions.
Of particular interest, one of the data protection promulgations that financial institutions may choose to follow was created by the Graham-Leach-Bliley Act of 1999, also known as the Financial Services Modernization Act of 1999. Many financial institutions are already familiar with data protections under this law because it applies to financial institutions and is nearly 20 years old. The Graham-Leach-Bliley Act’s requirements are primarily a security rule and a privacy rule, both promulgated by the Federal Trade Commission.
Another option in the Act that might fit some financial institutions is found in Section 1354.03(C)(1), which permits financial institutions and other businesses, such as merchants, into the safe harbor/affirmative defense if the financial institution’s data security plan meets the “payment card industry data security standard,” along with certain other requirements. Financial institutions should consider shaping their data security plan to meet the payment card industry data security standard, as there is an excellent chance that the financial institution is already acquainted and in compliance with the technical and operational requirements for organizations accepting or processing payment transactions.
Before the rise of internet hackers, entities with sensitive data faced disgruntled employees who stole information and dumpster divers who sought information that was handled sloppily. Those risks still exist, and new threats (malware, spoofing and phishing) arise regularly. Every indication is that data breaches will happen, and litigation will follow – sadly, both seem inevitable. Knowing these facts, it is logical and appropriate for financial institutions to:
- Assess the institution’s current data protection plans and improve them as needed.
- Compare the institution’s data security plans with the general requirements of Ohio Revised Code Section 1354.02 to determine if you can use its affirmative defense in the event of data breach litigation.
- Consider avoiding the generalized tests of your institution’s data security plan (provided in Section 1354.02) by reviewing the data security standards promulgated by the experts listed in Section 1354.03.
- Pay close attention to the data security standards already tailored to financial services industry, particularly (a) the Graham-Leach-Bliley Act of 1999 and (b) payment card industry data security standard, as both bear upon the business activities conducted by financial institutions.
Again, be proactive and assess whether you are able to afford your institutions with the protections offered under the Ohio Data Protection Act.