New Cybersecurity Law Offers Safe Harbor Against Tort Claims

McGuireWoods LLP

On November, 2, 2018, Ohio’s recently passed Data Protection Act (Act) officially became law. The Act provides a possible affirmative defense to businesses in lawsuits where the plaintiff alleges a tort based on a business’ failure to implement a cybersecurity framework.

Importantly, the new law does not create a minimum cybersecurity standard in Ohio or new cybersecurity regulations that businesses must follow. Rather, the law operates by incentivizing businesses to develop and maintain a cybersecurity program that “reasonably conforms” to an already existing, industry recognized cybersecurity framework. If the company can prove that it had a compliant cybersecurity program in place at the time of a breach, the company can use the program’s existence as an affirmative defense to certain tort claims.

Under the Act, compliant frameworks include:
• National Institute of Standards and Technology (NIST) Cybersecurity Framework;
• NIST Special Publications 800-53, 800-53A, or 800-171;
• Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework;
• Center for Internet Security Critical Security Controls (CIS CSC) for Effective Cyber Defense;
• International Organization for Standardization (ISO) / International Electrotechnical Commission’s (IEC) 27000 Family – Information Security Management Systems;
• Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule;
• Health Information Technology for Economic and Clinical Health Act (HITECH);
• Title 5 of the Gramm-Leach-Bliley Act of 1999 (GLBA);
• Federal Information Security Modernization Act of 2014 (FISMA); and
• Payment Card Industry Standard (PCI) combined with another listed framework.

The law allows businesses to determine the appropriate framework to follow based on the individualized needs of the business. The law requires that the “scale and scope” of the company’s cybersecurity program be appropriate in light of:

  1. The size and complexity of the covered entity;
  2. The nature and scope of the activities of the covered entity;
  3. The sensitivity of the information protected;
  4. The cost and availability of tools to improve information security and reduce vulnerabilities; and
  5. The resources available to the covered entity.

However, the law’s protections are limited. The Act only provides an affirmative defense to tort claims based on Ohio law or brought in an Ohio court. Businesses would not have an affirmative defense to contract actions.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McGuireWoods LLP | Attorney Advertising

Written by:

McGuireWoods LLP

McGuireWoods LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide