In this digital age, businesses are increasingly turning to electronic means of storing the personal and/or restricted information of their employees, customers and other contacts. Unfortunately, with the convenience of this storage method comes the risk of liability should the business be the victim of a cyberattack or other data breach. In response to this risk, on August 3, 2018, Ohio Governor John Kasich signed the Data Protection Act (DPA) into law. The DPA provides Ohio businesses with an affirmative defense to data breach claims if, at the time of the breach, they had implemented a written cybersecurity program that conforms to certain standards. Specifically, the program must contain administrative, technical, and physical safeguards for the protection of personal and/or restricted information that meets all of the following criteria:
- It reasonably conforms to an industry recognized cybersecurity framework.
- It is designed to protect:
- the security and confidentiality of the information;
- against anticipated threats or hazards to the security or integrity of the information; and
- against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.
- It is appropriate in scope and scale in light of:
- the size and complexity of the business;
- the nature and scope of the business’ activities;
- the sensitivity of the information;
- the cost and availability of tools to improve security and reduce vulnerabilities; and
- the resources available to the business.
The DPA provides businesses with a list of the “industry recognized cybersecurity framework[s]” with which the program may conform. They include the “framework for improving critical infrastructure cybersecurity” developed by the National Institute of Standards and Technology (NIST); NIST special publication 800-171; NIST special publications 800-53 and 800-53a; the “federal risk and authorization management program (FedRAMP) security assessment framework”; the “center for internet security critical security controls for effective cyber defense”; and the international organization for standardization/international electrotechnical commission 27000 family – information security management systems.” The program may conform to any one or a combination of these frameworks.
The affirmative defense is also available to businesses whose cybersecurity program conforms to “both the current version of the ‘payment card industry (PCI) data security standard’ and conforms to the current version of another applicable industry recognized cybersecurity framework” listed above. Finally, the affirmative defense is available to a business that “is regulated by the state, by the federal government, or both, or is otherwise subject to the requirements of any of the laws or regulations listed below, and the cybersecurity program reasonably conforms to the entirety of the current version of any of the following”:
- the security requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
- Title V of the Gramm-Leach-Bliley Act of 1999 (GLBA);
- The Federal Information Security Modernization Act of 2014; and
- The Health Information Technology for Economic Clinical Health (HITECH) Act.
The DPA takes effect on November 2, 2018. Should you have any questions regarding the DPA or your obligations regarding the protection of personal and restricted information, please feel free to contact Jim Wilkins, Amanda Smith, or any other KWW attorney.