Ohio is poised to lead the nation by incentivizing businesses to implement certain cybersecurity controls, which can be an affirmative defense to a data breach claim based on negligence. Under the proposed legislation, if a business is sued for negligently failing to implement reasonable information security controls resulting in a data breach, the business can assert its compliance with the cybersecurity control as an affirmative defense at trial.
For years we have counseled our clients to implement a comprehensive data governance program and incident response plan to both minimize the likelihood of a security incident from happening, while also increasing the likelihood that the client’s management will survive the incident. It hasn’t always been an easy sell, to be sure. We’ve heard, “I will just pay when something bad happens.” In the past several years, however, we’ve seen the benefits of such programs come to fruition beyond compliance and risk reduction. Today, insurance companies are more likely to cover your company and provide you lower premiums if you have a solid information security program and IRP in place. With added frequency, clients are having to respond to RFPs and solicitations that include cybersecurity requirements and governance programs. In short, if you want to even have a shot at getting the business, you need to have an information security program in place. Well, now there may be another benefit.
Ohio Senate Bill 220, sponsored by state senators Bob Hackett and Kevin Bacon, is the first product of Ohio Attorney General Mike DeWine’s Cyber Ohio Initiative task force. The legislation describes its purpose:
The purpose of this Act is to establish a legal safe harbor to be pled as an affirmative defense to a cause of action sounding in tort that alleges the failure to implement reasonable information security controls resulted in a data breach. The safe harbor shall apply to all covered entities that implement a cybersecurity program that complies with the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology or other industry recognized data security framework.
This Act is intended to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action. The bill does not, and is not intended to, create a minimum cybersecurity standard that must be achieved, nor shall it be read to impose liability upon businesses that do not obtain or maintain practices in compliance with the frameworks referenced in this section.
[Senate Bill 220, Section 2.]
The specifics are as follows:
A covered entity that implements and maintains a cybersecurity program that complies with the NIST cybersecurity framework, or other industry cybersecurity framework … shall be deemed to be in compliance with this section.
Compliance [which] … shall constitute an affirmative defense to any cause of action sounding in tort that alleges the failure to implement reasonable information security controls resulted in a data breach.
Following any update to the NIST cybersecurity framework, or other industry recognized data security framework, the covered entity shall have a period of one year from the stated effective date as prescribed in the framework to comply with the update.
If a covered entity complies with the update within one year of the stated effective date found in the framework as updated, the entity shall still be deemed to be in compliance with this section.
[Senate Bill 220, Section 1354.02(D).]
The eight safe harbor cybersecurity frameworks include:
- NIST SP 800-171
- NIST SP 800-53 and 800-53(a);
- the federal risk and authorization management program (FedRAMP);
- center for internet security (CIS) critical security controls;
- the ISO 27000 family;
- the HIPAA Security Rule;
- Graham-Leach-Bliley Act; and
- the Federal Information Security Modernization Act (FISMA).
[Senate Bill 220, Section 1354.03.]
As an example, if passed, this bill will immediately benefit Ohio defense contractors. Pursuant to DFARS 252.204-7012, defense contractors handling covered defense information must implement NIST SP 800-171 by December 31, 2017 anyway. Having the extra benefit of being able to assert compliance with the cybersecurity standard as a defense to a data breach claim based on negligence is welcomed relief. Who said compliance doesn’t pay?