Companies with robust cybersecurity programs may still be vulnerable to attack. A new, first-of-its-kind law in Ohio now recognizes this fact. On November 1, 2018, the Ohio Data Protection Act (SB 220) establishes a safe harbor from state tort actions in data breach cases for entities that have developed an information security program with “administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework.” Without establishing minimum cybersecurity standards, the Ohio law affords defendants an “affirmative defense” against state tort actions and establishes an important precedent that may serve as a model for other states and the federal government to follow.
To qualify for the safe harbor, entities must:
- Protect the security and confidentiality of the information;
- Protect against anticipated threats or hazards to the security or integrity of the information; and
- Protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or fraud.
The statute adopts a flexible and technology neutral approach to determining compliance with these standards, expressly recognizing the “size and complexity” of the entity; “nature and scope” of the entity’s activities; sensitivity of the information; cost and availability of the tools to improve information security; and the resources available to the entity may impact the appropriate implementation of a program.
Critically, the entity also must “reasonably conform” with one of the following cybersecurity frameworks:
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework;
- NIST special publication 800-171, 800-53, or 800-53a;
- The Federal Risk and Authorization Management Program’s Security Assessment Framework;
- The Center for Internet Security’s Critical Security Controls for Effective Cyber Defense; or
- The International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) 2700 Information Security Management System Standards.
For entities that handle payment cards, they must comply with one of these frameworks and the Payment Card Industry (PCI) Data Security Standards (DSS).
Alternatively, entities need not comply with one of the above cybersecurity frameworks if they are subject to and comply with the Health Insurance Portability and Accountability Act (HIPAA), Title V of the Gramm-Leach-Bliley Act (GLBA), the Federal Information Security Modernization Act (FISMA), or the Health Information Technology for Economic and Clinical Health Act (HITECH). The Ohio law thus expressly recognizes and endorses the US sectoral approach to privacy regulation for certain particular industries.
Entities that receive the safe harbor are entitled to an “affirmative defense” against any tort action brought under Ohio law or in an Ohio court alleging failure to implement reasonable information security controls in a data breach case.
The law does not specify what it means to “reasonably conform” with one of these cybersecurity frameworks, nor does it indicate how a defendant would establish that it has an information security program that meets the substantive requirements of protecting information against threats or hazards and unauthorized access. Regardless, the safe harbor affords some measure of protection for defendants that are subject to data breach litigation.
Perhaps more importantly, Ohio law recognizes that companies may have strong cybersecurity programs but still be vulnerable to attack. In such instances, companies should not be liable simply based on the fact that they were targeted by malicious actors. This reasonable approach to the realities of cyber risk management may prove a helpful template for upcoming policy as Congress and the Trump administration consider the future of federal data protection legislation.