Policymakers long have wrestled with how to enhance private-sector cybersecurity without imposing prescriptive one-size-fits-all requirements that undermine effective cyber risk management. With the passage of its Cybersecurity Safe Harbor Act (the “Act”) on August 3, 2018, Ohio has enacted legislation—the first of its kind—that is intended to use the promise of relief from legal liability to incentivize companies to adopt appropriate cyber protections. Specifically, the Act gives companies that take certain steps to create, maintain and comply with a written cyber program an affirmative defense to data breach claims sounding in tort (such as negligence) brought under the laws or in the courts of Ohio. It remains to be seen whether the Act will have a practical impact on companies’ approaches to cyber risk management or their liability exposure after a data breach. The Act nonetheless is important because it suggests a new approach to the regulation of cybersecurity practices and liability after a data breach.
The Act does not “create a minimum cybersecurity standard” or “impose liability upon businesses that do not … maintain practices in compliance with the act.” Instead, the Act enables companies to assert an affirmative defense based on their implementation of a written security program. To establish such a defense, a company would have to show that its security program contains administrative, technical and physical safeguards designed to protect either “personal information” or “personal information andrestricted information.” “Personal information” is defined elsewhere in the Ohio Code as “an individual's name, consisting of the individual's first name or first initial and last name, in combination with and linked to any one or more of the following: social security number; driver’s license or state ID number; account or credit/debit number (in combination with a password).” “Restricted information” is defined by the Act as any information that can be used, alone or in combination with other information, to distinguish or trace the individual’s identity or that is linked or linkable to an individual and “the breach of which is likely to result in a material risk of identity theft or other fraud to person or property.” The definitions of both personal and restricted information exclude information that is encrypted, redacted or otherwise rendered unreadable.
The Act further specifies that a company asserting the affirmative defense must establish that it implemented a written cyber program designed to (1) “protect the security and confidentiality of the information,” (2) “protect against any anticipated threats or hazards to the security or integrity of the information” and (3) “protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.” The Act provides that the scale and scope of a company’s program should be shaped by the following factors: (1) the company’s size and complexity, (2) the nature and scope of their activities, (3) the sensitivity of their information, (4) the cost and availability of tools to improve security and (5) the resources available. Developing a written information security program of this type may be familiar to companies, since having a security plan in place is required by certain regulations (see, e.g., the Gramm-Leach-Bliley Act (GLBA)) and included as a recommendation in existing best practices (see, e.g., the Federal Trade Commission and the National Institute of Standards and Technology (NIST) Framework).
The Act requires companies to have “reasonably conform[ed]” to one of the industry-recognized frameworks in order to rely on the affirmative defense. Those frameworks available for non-regulated companies include:
- NIST Cybersecurity Framework;
- NIST Special Publications 800-171 or Special Publications 800-53 and 800-53a;
- Federal Risk and Authorization Management Program (FedRAMP)’s Security Assessment Framework;
- Center for Internet Security Critical Security Controls; and
- ISO/IEC 27000 family of information security standards.
Companies regulated by sector-specific laws may rely on the affirmative defense if they can demonstrate that their plan conforms to one of the applicable security requirements, identified in the Act as the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), Title V of the GLBA, and the Federal Information Security Modernization Act (FISMA). To gain the Act’s protections, companies accepting credit cards must comply with the Payment Card Industry Data Security Standard as well as one of the generally applicable frameworks listed above.
Simply having drafted a written security program would not be sufficient to establish the affirmative defense. Companies must also have maintained and complied with their programs, although the Act provides no further information on how a company would demonstrate that they have satisfactorily done this, nor does the Act specify how a company would show that its plan “reasonably conforms” with one of the identified frameworks.
As reflected above, defendant companies would not be able to rely on the Act to avoid the early stages of litigation, but rather would have to make a substantial showing in order to benefit from the safe harbor that it provides. Moreover, it remains to be seen whether data breach plaintiffs will bring their suits outside Ohio or under legal theories other than the tort claims covered by the statute. As a result, the Act may well have limited immediate impact for companies as they continue to refine their cyber risk management programs or as they defend against data breach litigation. Nonetheless, the Act may prove to be a significant milestone in ongoing policy debates over cybersecurity regulation and litigation, particularly if this model is followed by other states or draws interest of federal policymakers.