[BreachExchange] INSIGHT: Getting Ready for Ohio’s New Data Protection Act

[Destry Winant]

https://www.bna.com/insight-getting-ready-n57982093431/

Ohio businesses that implement written cybersecurity programs may be
less vulnerable to civil liability from data breaches because of the
recent passage of the Ohio Data Protection Act (Senate Bill 220, Ohio
Rev. Code § 1354.01, et seq.). Effective Nov. 2, 2018, the Act seeks
to provide a legal safe harbor to businesses that implement a
specified cybersecurity program by providing compliant businesses with
an affirmative defense to tort actions brought under Ohio law or in
Ohio courts. The Act’s supporters hope it will incentivize businesses
to implement cybersecurity programs voluntarily, while critics have
questioned whether the law’s limited scope will produce its intended
effect.

The Data Protection Act was initially conceived by the Ohio Attorney
General’s CyberOhio Initiative, which seeks to help Ohio businesses
address data security threats. When the Act was signed into law, the
Attorney General issued a statement claiming that “Ohioans can be
confident that their personal information will be better protected”
and that “companies have even more incentive to invest in strong cyber
security controls.” A closer look at the law, however, suggests little
to assure the confidence promised by the Attorney General.

What the Act Requires

The Data Protection Act entitles a complying business “to an
affirmative defense to any cause of action sounding in tort that is
brought under the laws of [Ohio] or in [Ohio] courts” alleging “that
the failure to implement reasonable information security controls
resulted in a data breach concerning personal information.” Ohio Rev.
Code § 1354.02(D). To be eligible for this affirmative defense, the
business must “create, maintain, and comply with a written
cybersecurity program that contains administrative, technical, and
physical safeguards” for the protection of personal information and
“restricted” information, and that reasonably conforms to an
industry-recognized cybersecurity framework. Ohio Rev. Code §
1354.02(A).

The cybersecurity program must be designed to (1) protect the security
and confidentiality of personal or restricted information, (2) protect
against any anticipated threats or hazards to the security or
integrity of such information, and (3) protect against unauthorized
access to and acquisition of the information that is likely to result
in a material risk of identity theft or other fraud to the individual
to whom the information relates. Ohio Rev. Code § 1354.02(B). A
business seeking to take advantage of the defense will have the burden
of proving that it meets all three of these eligibility requirements.

Recognizing that businesses are varied in size and complexity (as well
as in their activities and the types of information they process and
collect) and that therefore different cybersecurity solutions may be
appropriate to meet their needs, the Act further provides that the
“scale and scope” of a chosen program will be appropriate if it is
based on all of the following factors:

the size and complexity of the covered entity;
the nature and scope of the activities of the covered entity;
the sensitivity of the information to be protected;
the cost and availability of tools to improve information security and
reduce vulnerabilities; and
the resources available to the covered entity.

Ohio Rev. Code § 1354.02(C).

Businesses may choose among several industry-recognized frameworks in
establishing their cybersecurity programs. The Act states that a
business’s cybersecurity program provides the requisite protections if
it “reasonably conforms” to the current version of any of the
following, or any combination of the following, frameworks:

- the framework for improving critical infrastructure cybersecurity
developed by the National Institute of Standards and Technology
(NIST);
- NIST Special Publication 800-171;
- NIST Special Publications 800-53 and 800-53a;
- the Federal Risk and Authorization Management Program (FedRAMP)
Security Assessment framework;
- the Center for Internet Security Critical Security Controls for
Effective Cyber Defense; or
- the International Organization for Standardization/International
Electrotechnical Commission 27000 Family - Information Security
Management systems.

Ohio Rev. Code § 1354.03(A).

If a business is regulated by the State of Ohio or the federal
government, or is otherwise subject to the requirements of the
regulations listed below, the business’s cybersecurity program
conforms to an “industry recognized cybersecurity framework” if it
reasonably conforms to the current version of:

- the security requirements of the Health Insurance Portability and
Accountability Act of 1996;
- Title V of the Gramm-Leach-Bliley Act of 1999;
- the Federal Information Security Modernization Act of 2014; or
- the Health Information Technology for Economic and Clinical Health Act.

Ohio Rev. Code § 1354.03(B).

Cybersecurity programs for businesses dealing with payment cards
satisfy the requirements of the Act if they reasonably comply with
both the current version of the Payment Card Industry (PCI) Data
Security Standard and conform to the current version of one of the
other industry-recognized cybersecurity frameworks listed above.

Criticism of the Act

Despite its support and passage, some have criticized the Act for a
variety of reasons. First, while the Act does provide an affirmative
defense to certain types of claims, it is not a defense to all claims.
The affirmative defense is limited to tort claims brought under Ohio
law or in Ohio courts. The Act does not provide a defense to breach of
contract or statutory violations, or other non-tort claims, nor does
it protect businesses from claims brought under other states’ laws or
in other states. Since plaintiffs bringing nationwide class actions
often have a choice of states in which to bring their claims, the
defense is unlikely to be effective in such cases.

Moreover, even when the affirmative defense is asserted, it would not
be automatic. Rather, the business would have the burden to prove its
defense, and it would ultimately be up to a judge or perhaps a jury to
decide whether the defense applies. The standard of what constitutes
“reasonable compliance” with an accepted cybersecurity program is
subjective, since there is no certification process offered to verify
compliance. Thus, to take advantage of the defense, a business will
likely have to engage in expensive discovery and motion practice, and
possibly even trial.

Some critics have suggested that businesses, in order to obtain the
requisite cybersecurity programs, will pass along the costs of
implementing cybersecurity programs to customers. Others have argued
that Ohio should simply require businesses to implement cybersecurity
measures instead of merely incentivizing them to do so. Ultimately,
time will tell whether the Act produces its intended benefits.

Looking Ahead

Despite the criticisms and recognized limitations of the law,
businesses should assess whether compliance with the Act will
nevertheless be beneficial. Robust cybersecurity programs are de
rigueur in today’s online environment, offering a substantial
competitive advantage for forward-looking businesses. Just as many
companies have used the EU General Data Protection Regulation as a
selling point to convey their commitment to protecting the personal
information of customers and potential clients, Ohio companies will
likely tout their compliance with the Act as a value-added benefit of
doing business with them. Moreover, in case of a breach and subsequent
regulatory investigation and/or litigation, any business able to
demonstrate compliance with one or more recognized cybersecurity
programs will surely be ahead of the curve. Furthermore, the process
of implementing a cybersecurity program may serve to make an entity
more aware of the issues and challenges involved in securing personal
and business data for itself, its employees, and its customers.
Finally, implementing a good data security program may give the
business an advantage in securing appropriate cyber insurance at a
reasonable cost.