On November 2, 2018, Ohio’s new “cybersecurity safe harbor” law took effect, and the law gives Ohio businesses a strong new reason to proactively address data security.  Data breaches are an ever-growing threat to businesses and often result in individual claims or class action lawsuits against businesses that suffer a compromise of computer systems.

The new law protects Ohio businesses from liability resulting from a data breach if the business creates and follows a “written cybersecurity program” conforming to certain legal standards.  So long as a business maintains such a written cybersecurity program, the business can raise an affirmative defense to lawsuits brought in Ohio courts or under Ohio law alleging breaches of personal information.   This new law offers a critical safe harbor from tort claims alleging that the business failed to take reasonable steps to protect such information.

As the expression goes, “an ounce of prevention is worth a pound of cure,” and so it is vital for organizations to think ahead rather than merely react to a data breach.  Even before the law, having a written information security policy in place was an important way for organizations to protect the personal information of customers, employees, and other stakeholders.  In many industries, a written cybersecurity policy already is required to comply with federal, state and international laws, as well as industry requirements such as payment card standards governing acceptance of credit or debit card transactions. Now, having such a plan in place offers a critical means to avoid the costs of litigation or liability for data exposure events.

A written information security policy must be customized to each business but generally is designed to implement best practices regarding collection, storage, and use of personally-identifiable information, such as Social Security numbers, driver’s license numbers, and financial account or credit card information.  The new Ohio safe harbor law provides that a cybersecurity program should be based upon each of the following factors:

1. The size and complexity of the organization
2. The nature and scope of the activities of the organization
3. The sensitivity of the information to be protected
4. The cost and availability of tools to improve information security and reduce vulnerabilities, and
5. The resources available to the covered entity.

The law points to certain federal and international guidance, including the NIST framework and ISO-27001 standards, as examples of best practices that should be followed by organizations to take advantage of the safe harbor.

McNees’s Privacy & Data Security team assists our clients to proactively limit their exposure to data compromises by implementing policies and procedures appropriate to protect personally-identifiable information and to comply with U.S. and international privacy laws.  We routinely work with businesses, financial institutions, universities, and other organizations to help them adopt best practices for cybersecurity and to conform with specific laws and regulations applicable in their industries.