Tacking an entirely new direction from other US states, Ohio has decided to offer defensive legal protection to businesses who have built a cybersecurity regime around well-known industry standards, even where those businesses suffer a data breach or other cybersecurity incident. This is the first US state law that proposes explicit data security standards that can serve to protect a company both from cyberattacks and from lawsuits.
Effective November 2, 2018, Ohio’s Data Protection Act (DPA) has been supplemented with an incentive-based mechanism to strengthen cybersecurity business practices. Specifically, it offers a safe harbor against data breach lawsuits for businesses that implement, maintain and comply with an industry-recognized cybersecurity program (S.B. 220).
Ohio’s safe harbor applies to businesses that access, maintain, communicate or process personal or restricted information. Aimed at combatting the uptick in costly data breaches, cybersecurity measures must be designed to (i) protect the security and confidentiality of personal information; (ii) protect against any anticipated threats or hazards to the security or integrity of personal information; and (iii) protect against unauthorized access to the acquisition of personal information likely to result in a material risk of identity theft or other fraud for respective individuals.
In an effort to mitigate the effects and exposure of data breaches, this revision to Ohio’s DPA seeks to encourage businesses to create, or improve, their cybersecurity measures by complying with established frameworks. In exchange, businesses gain an affirmative defense to tort actions arising from alleged “failure[s] to implement reasonable information security controls, resulting in a data breach.”
To qualify for safe harbor, businesses must “reasonably conform” with one of the eight commonplace industry-recognized frameworks, including HIPAA, GLBA, FISMA, and NIST’s Cybersecurity Framework. Guidelines for security measures are scaled and particularized, taking into account a business’s size and complexity, the nature and scope of its activities, the sensitivity of the information to be protected, the cost and availability of tools to improve information security and reduce vulnerabilities, and its available resources. Significantly, businesses currently complying with PCI DSS will need to adhere to a listed framework in addition to PCI DSS to come under the DPA’s safe harbor.
The safe harbor does not completely absolve liability in the event of a data breach, excluding among others, contract-based claims (such as business-vendor and customer contract actions).
The newly enacted law also amended Ohio’s communications regulations to legally recognize the use of blockchain technology to store and transmit electronic records. Put another way, electronic signatures secured through blockchain technology will be given the same legal authority as any other document in the formation of a contract. Ohio joins Arizona, California, Delaware, Nevada, Tennessee and Vermont in enacting law substantively addressing blockchain technology and “smart contracts.”