Yahoo. Equifax. LinkedIn. Target. Aside from being some of the world's largest corporate entities, these companies are just a few of the more noteworthy businesses that have fallen victim to data breach incidents in recent years. Companies large and small today face the tough reality that it is no longer a matter of "if," but rather "when," a company's network will be breached. Over the years, lawmakers have struggled with devising effective methods for enhancing the cybersecurity of private organizations without mandating one-size-fits-all requirements that undercut effective data security management. Last November, Senate Bill 220, also known as the Ohio Data Protection Act (DPA), was enacted into law in the state of Ohio – which represents the first law that accomplishes just that goal. Importantly, the DPA now provides Ohio businesses with an affirmative defense to some forms of data breach claims where the business has in place reasonable security measures at the time of the breach. In enacting the DPA, Ohio became the first state in the nation to implement a law that affords a data breach safe harbor for business entities.
The Threat: Today’s Rising Risk of Data Breach Incidents
As is common knowledge today, business entities are prime targets, and victims, of computer-network penetration and data theft. In addition to hackers, business entities also face significant data breach threats originating from inside the organization. Importantly, data breach incidents have proliferated astronomically in recent years both in frequency and severity. More often than not, the financial consequences of a data breach are catastrophic. Furthermore, in addition to the economic loss caused by a breach, the reputational hit that a business customarily takes in the wake of a data theft incident can have dire consequences on the long-term viability of the organization. In particular, many businesses who maintain vital sensitive and proprietary company data may choose to steer clear of utilizing a company that has demonstrated an inability to properly safeguard client information, resulting in the exodus of current clients, as well as significant lost business opportunities from potential clients.
The Solution: Ohio’s Data Protection Act
Ohio enacted the Data Protection Act, which provides an incentive-based program for businesses to strengthen their cybersecurity practices. Specifically, the DPA provides companies with a safe harbor against data breach claims sounding in tort (such as negligence) brought under the laws or in the courts of Ohio for companies that implement, maintain and comply with one of several industry-recognized cybersecurity programs. Significantly, contained in the text of the DPA is an express provision which provides that the Act does not “create a minimum cybersecurity standard that must be achieved” or “impose liability upon businesses that do not obtain or maintain practices in compliance with the act.” Instead, the DPA endeavors “to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.”
In order to qualify for the safe harbor, an entity must implement a written cybersecurity program designed to: (1) protect the security and confidentiality of personal information; (2) protect against anticipated threats or hazards to the security or integrity of personal information; and (3) protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or fraud.
The DPA provides that the scale and scope of the company’s cybersecurity program should be consummate with the following factors: (1) the company’s size and complexity; (2) the nature and scope of its activities; (3) the sensitivity of the personal information maintained by the company; (4) the cost and availability of tools to improve information security; and (5) the resources available to the company.
The Act also requires the entity’s cybersecurity program to “reasonably conform” to one of the following frameworks:
National Institute of Standards and Technology’s (NIST) Cybersecurity Framework;
NIST Special Publication 800-171 or Special Publications 800-53 and 800-53a;
Federal Risk and Authorization Management Program’s (FedRAMP) Security Assessment Framework;
Center for Internet Security’s Critical Security Controls for Effective Cyber Defense; or
International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) 27000 Family – Information Security Management Systems Standards.
For businesses that accept payment cards, in order to qualify for the affirmative defense, these organizations’ cybersecurity programs must comply with the Payment Card Industry’s Data Security Standards (PCI-DSS), in addition to one of the generally applicable frameworks identified above. Similarly, companies subject to certain state or federally mandated sector-specific laws may rely on the affirmative defense if—in addition to conforming with one of the above generally applicable frameworks—they can establish that their plan conforms to any additional security requirements, such as the security requirements identified in the Health Insurance Portability and Accountability Act (HIPAA), Title V of the Gramm-Leach-Bliley Act (GLBA), the Federal Information Security Modernization Act (FISMA), or the Health Information Technology for Economic and Clinical Health Act (HITECH).
Critically, however, simply having a written security program drafted and on file will not suffice to utilize the affirmative defense in the wake of a data breach incident. Rather, companies must also have maintained and complied with their programs at the time of a breach to be entitled to the shield provided by the safe harbor. With that said, the DPA provides no further discussion or explanation as to how a company can successfully establish that it has implemented sufficient cybersecurity measures to make itself eligible for the affirmative defense. Moreover, the act fails to provide any additional information regarding how a company can successfully establish that its cybersecurity plan “reasonably conforms” with one of the above frameworks.
The DPA represents the first law in the country to provide incentives to businesses to implement certain cybersecurity controls through the utilization of an affirmative defense to liability in the wake of a data breach. With that said, some states—such as New York—do require certain organizations to satisfy specific cybersecurity compliance standards, without affording such companies an express safe harbor as an incentive to adopt such standards.
Ohio’s cybersecurity law is a welcome opening for organizations of all shapes and sizes who seek to limit their liability in the wake of a data breach. Importantly, the DPA provides clear steps that business entities must take in order to qualify for the safe harbor under the act. But qualification for this new defense to liability is not automatic. Rather, a company will bear the burden of establishing that its program satisfies all of the requirements under the law.
As such, as the number and severity of data breaches continues to climb today with no foreseeable end in sight, now more than ever companies—including Ohio law firms—must be proactive in implementing effective safeguards to shield sensitive company information from malicious hackers or other unauthorized access. At the same time, companies should ensure that their cybersecurity programs comport with the requirements of the DPA, as doing so will allow companies to invoke the act’s safe harbor to defeat certain state law data breach tort claims alleging that the organization’s data security measures resulted in a data breach incident. Through the implementation of a robust cybersecurity risk management program, companies and law firms can effectively minimize the risk of falling victim to a catastrophic data breach, while at the same time putting themselves in the best position to assert the DPA’s stringent defense to liability in the event they fall victim of a data breach incident and find themselves on the receiving end of a subsequent civil action stemming from the breach.
“Ohio’s Data Protection Act,” by David J. Oberly was published on July 1, 2019, in Ohio Lawyer (Spring 2019, Vol. 33, No. 2), a member magazine of the Ohio State Bar Association. Reprinted with permission.