Ohio recently passed legislation that provides a safe harbor for businesses implementing and maintaining “reasonable” cybersecurity controls.

The Ohio Data Protection Act (2018 SB 220) was launched as part of Attorney General Mike DeWine’s CyberOhio Initiative and is intended to help Ohio businesses defend against cybersecurity threats. Signed by Gov. John Kasich in early August, the law will go into effect Nov. 2, 2018.

Unlike consumer privacy legislation recently passed in California and Colorado, the Ohio law does not rely on punitive measures as a means of enforcement. In fact, the Data Protection Act explicitly does not set minimum data security standards or impose liability on businesses that fail to maintain cybersecurity programs in compliance with the law. To encourage higher levels of cybersecurity within the Ohio business community, the legislation focuses on compliance through “voluntary action” and offers a breach litigation safe harbor to covered entities that meet the law’s cybersecurity standards.

Covered entities

The law applies broadly to any business that “accesses, maintains, communicates, or processes personal information or restricted information.” While it does not change the meaning of “personal information” provided in Section 1349.19 of the Revised Code, the law defines “restricted information” as any unencrypted information about an individual that can be “used to distinguish or trace the individual’s identity.”

Affirmative defense as incentive for compliance

The purpose of the Ohio law is to provide covered entities with an affirmative defense in data breach claims based on tort law. By invoking the affirmative defense, covered entities may refute liability in certain lawsuits that claim a business’s failure to implement reasonable information security measures resulted in a data breach.

This safe harbor has several limitations. For a business to invoke the affirmative defense in a lawsuit, the claim must (1) arise under tort law, (2) be brought under Ohio law or in Ohio courts, and (3) allege that “failure to implement reasonable information security controls resulted in a data breach concerning personal information or restricted information.” While a covered entity may invoke the defense in data breach lawsuits alleging negligence or invasion of privacy, the defense is strictly limited to tort claims and does not apply to statutory or contract-based claims.

Eligibility

To qualify for safe harbor, a business must “create, maintain, and comply with a written cybersecurity program” that “reasonably conforms” to one of several industry-recognized cybersecurity frameworks, including:

• National Institute of Standards and Technology (NIST) Cybersecurity Framework.
• NIST Special Publications 800-53, 800-53A, or 800-171.
• Federal Risk and Authorization Management Program (FEDRAMP).
• Center for Internet Security Critical Security Controls (CIS CSC).
• International Organization for Standardization (ISO) / International Electrotechnical Commission’s (IEC) 27000 Family.
• Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule Subpart C.
• Health Information Technology for Economic and Clinical Health Act (HITECH).
• Title 5 of the Gramm-Leach-Bliley Act of 1999 (GLBA).
• Federal Information Security Modernization Act of 2014 (FISMA).
• Payment Card Industry standard (PCI) plus another listed framework.

The entity’s cybersecurity program must be designed to (1) protect the security and confidentiality of personal information, (2) protect against any anticipated threats or hazards to the security or integrity of personal information, and (3) protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud. Although the law requires “reasonable” compliance with one of the listed frameworks, the Data Protection Act allows covered entities to tailor the scale and scope of the cybersecurity program according to their own business needs. In selecting an “appropriate” cybersecurity program, the entity should consider the following factors:

• The size and complexity of the business.
• The activities of the business.
• The sensitivity of personal information.
• The cost and availability of tools to improve cybersecurity.
• The resources available to the business.

Blockchain

SB 220 additionally modifies the statutory definitions of “electronic record” and “electronic signature” to include records and signatures secured through blockchain technology. With these amendments to the Uniform Electronic Transactions Act, Ohio becomes one of the most recent states to recognize that blockchain transactions are enforceable electronic transactions.

Potential limitations in application

Ohio is not the first state to pass legislation governing the implementation of written cybersecurity programs. Other states, including Massachusetts and New York, have enacted laws requiring businesses that handle personal information to implement and maintain a written information security program. However, the Ohio Data Protection Act’s “voluntary” approach to compliance represents a departure from the “coercive” data protection laws adopted in other states.

With no enforcement mechanism in place, voluntary compliance with the Ohio law likely depends on whether businesses find value in the affirmative defense provided under the legislation. For some companies, implementing and maintaining a cybersecurity program that “reasonably conforms” with the Ohio law will be a costly expense. While larger companies may already be in compliance with the industry standards listed in the legislation, it is unclear whether the law contains sufficient “fiscal lure” to compel smaller businesses into compliance.

Qualification for the affirmative defense may also be difficult to establish. To invoke the affirmative defense in litigation, a business needs to credibly prove compliance with a conforming cybersecurity program at the time of the data breach. Whereas Massachusetts Data Security Regulations contain a list of minimum safeguards that need to be implemented and maintained under any WISP, the Ohio Data Protection does not give specific guidelines as to what qualifies as “reasonable” conformity with industry standards. During his testimony in opposition to SB 220, Mark Abramowitz expressed concern that the Ohio law would “require judges in federal courts in different parts of the country to decide whether a company ‘complied’ with one of several different best practices — wading through hundreds of pages of technical documents — in order to address the issue at the motion to dismiss stage.”

Conclusion

While Ohio Data Protection Act intends “to encourage businesses to achieve a higher level of cybersecurity through voluntary action,” it is unclear how the Ohio business community will respond to the law’s incentive-based compliance mechanism. Most states use punitive measures, including threat of attorney general enforcement, to incite compliance with cybersecurity regulations. With the Ohio law going into effect next month, it will be interesting to see whether a potential safe harbor in data breach litigation provides a compelling incentive for a business’s voluntary compliance. Considering the number of data breach incidents in recent years, many are hopeful that the Ohio Data Protection Act’s “proactive approach to cybersecurity” will at least encourage businesses to evaluate what types of personal information they collect and adopt appropriate safeguards suited to their company’s size, their available resources and business activities, and the sensitivity of personal information collected.

Photo credit: Erik Drost, "Ohio Flag" via Flikr