Ohio recently enacted the Ohio Data Protection Act (2018 SB 220), a law that offers a breach litigation safe harbor to businesses meeting specific cybersecurity standards. While the law does not prevent a plaintiff from filing a lawsuit following a data breach, it does provide an affirmative defense to companies defending themselves against such claims. If an entity’s data security policies conform to one of several listed cybersecurity frameworks, the entity can invoke the safe harbor as a defense, and possibly defeat a tort claim alleging that the company’s failure to comply with reasonable security standards resulted in the breach. Signed on August 3, 2018 by Governor John Kasich, the law will go into effect on November 2, 2018.
The safe harbor applies to covered entities that implement and comply with a cybersecurity program modeled on one of several industry-recognized cybersecurity frameworks. The law has a broad scope, as “covered entities” include any business that accesses, maintains, communicates, or processes “personal information” or “restricted information.” “Restricted information” is defined by the law as any unencrypted information about an individual, other than personal information, that could be used to distinguish or trace an individual’s identity, the breach of which is likely to result in a material risk of identity theft or fraud.
The scope of the safe harbor is limited by two factors. First, the law only applies to tort claims, meaning there is no affirmative defense against contract claims, which are common in breach litigation. Secondly, the safe harbor only applies to tort claims that are based on Ohio law or brought in an Ohio court.
To be eligible for the safe harbor, covered entities must “create, maintain, and comply with a written cybersecurity program” that “reasonably conforms” to one of several named cybersecurity frameworks. As stated in the law, the possible frameworks include:
- The NIST Cybersecurity Framework, NIST’s SP 800-171, SP 800-53, or SP 800-53a, FedRAMP, the CIS Critical Security Controls, or the ISO 27000 family;
- For regulated entities, the cybersecurity requirements of HIPAA, the Gramm-Leach-Bliley Act, FISMA, or HITECH, as appropriate; or
- The PCI Data Security Standard (PCI DSS) in conjunction with one of the other standards listed in (1) or (2).
The law also emphasizes that while the goal of an eligible cybersecurity program remains the same across entities – to protect personal and restricted information against all anticipated threats – each company must develop a risk-based program in accordance with several factors unique to each entity. These factors include the size and complexity of the entity, the nature and scope of its activities, the sensitivity of the information to be protected, the cost and availability of tools needed to improve information security and reduce vulnerabilities, and the resources available to the entity.