Last November, Taft’s Scot Ganow and Bill Wagner wrote on Ohio first-of-its kind state legislation which would provide companies a safe harbor from some litigation resulting from a data breach. This month, Governor John Kasich signed the Ohio Senate Bill 220, also known as the Ohio Data Protection Act, into law. The law goes into effect in November, and is aimed at providing entities conducting business in Ohio with special protection from litigation in the event of a security incident or breach under certain circumstances. Specifically, the law creates a safe harbor affirmative defense when an entity adopts cybersecurity measures designed to: (1) protect the security and confidentiality of personal information; (2) protect against any anticipated threats or hazards to the security or integrity of the personal information; and (3) protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud.
Frameworks for Compliance
The founding principle of the law is to provide organizations with a legal incentive to achieve a “higher level of cybersecurity” by maintaining a cybersecurity program that substantially complies with one of eight industry-recommended frameworks. Businesses that substantially comply with any of the frameworks outlined in the Data Protection Act are entitled to a “legal safe harbor” to be pled as an affirmative defense to tort claims related to a data breach stemming from alleged failures to adopt reasonable cybersecurity measures. These frameworks include:
- Center for Internet Security’s Critical Security Controls for Effective Cyber Defense;
- Federal Information Security Modernization Act;
- Federal Risk and Authorization Management Program’s Security Assessment Framework;
- Gramm-Leach-Bliley Act’s Safeguards Rule;
- Health Information Technology for Economic and Clinical Health Act;
- Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule;
- International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) 27000 Family – Information Security Management Systems Standards; and
- National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.
Further, the law does not promote a one-size-fits-all approach to security. Instead, the Data Protection Act prompts entities to establish a cybersecurity program based on (1) the organization’s size and complexity, (2) the nature and scope of its activities, (3) the sensitivity of the personal information protected under the program, (4) the cost and availability of tools to improve its information security, and (5) the resources available to the organization. Critically, for businesses that accept payment cards, the Payment Card Industry’s Data Security Standard (PCI DSS) is not a framework eligible for safe harbor. Businesses currently complying with PCI DSS must also comply with one of the above frameworks to qualify for the safe harbor affirmative defense.
Safe Harbor – Protections and Limitations
The Data Protection Act’s “legal safe harbor” does not provide businesses with blanket immunity to a data breach lawsuit. Instead, the law creates an affirmative defense to tort actions (such as invasion of privacy and negligence) brought against Ohio businesses that have suffered a data breach involving personal information or restricted information. The entity still has the burden of establishing that its cybersecurity program complied with the law’s requirements. Further, the safe harbor does not apply to contract-based actions, such as those that arise from a business-vendor dispute or between a business and its customers where a contractual relationship is alleged.
The Data Protection Act also amended state regulations to give blockchain-based documents the same legal legitimacy as any other document, thereby allowing the use of digital ledgers for legal, financial, and medical records. Specifically, the law amends Ohio’s communications regulations to state that “[a] signature that is secured through blockchain technology is considered to be in an electronic form and to be an electronic signature.” To put it another way, using private keys to sign a transaction on a blockchain now has the same legal authority as a signed contract. With this amendment, Ohio joins states such as Arizona, Florida, and California in passing legislation recognizing signatures and smart contracts secured by blockchain technology as legal documents.
Breach Notification Requirements Remain the Same
The Data Protection Act does not amend Ohio’s current breach notification laws. Any entity that adopts one of the safe harbor’s cybersecurity frameworks must still provide notification of data breaches affecting Ohio residents. In Ohio, notification must occur no later than 45 days following the discovery or notification of the breach (subject to specific exceptions for legitimate law enforcement needs and measures necessary to determine scope of the breach). Further, neither the Data Protection Act, nor Ohio’s notification law affects breach notification requirements for HIPAA-covered entities and financial institutions that have their own notification requirements under federal law.
As we advise our clients time and again, no one is immune from the threat of a data breach. Companies should approach data governance as a question of WHEN a breach will happen, and not IF. The Data Protection Act gives Ohio businesses an opportunity to evaluate the personal information they create, maintain, receive, and share, as well as the safeguards in place to protect that information. Businesses should map and classify the data they collect to understand what information they collect, and how that information is flowing through the organization. Once businesses understand what data they have and where that data is located, they can make informed decisions about appropriate administrative, physical, and technical safeguards to adopt, and create a cybersecurity program that makes sense based on the company’s size, revenues, resources, and sensitivity of information maintained.
No matter how robust a company’s security program may be, breaches are an inevitable part of doing business. But following the guidance outlined in the Data Protection Act will set businesses ahead of the curve and provide for a valuable defense in subsequent litigation.