During an age when information and data fuels businesses, understanding the value of cybersecurity in protecting data is crucial. Lawmakers and business owners are continuously recognizing the new, complex risks that come from doing business in cyberspace every day. That’s why on August 3, 2018, Ohio Governor John Kasich signed Senate Bill No. 220, the Ohio Data Protection Act. This legislation makes Ohio the first state to enact a law that incentivizes businesses to implement a cybersecurity program by providing a safe harbor to businesses that do so. Let’s discuss what the Ohio Data Protection Act requires of businesses and how it can protect them.
What the Ohio Data Protection Act Is and Isn’t
This legislation is a part of CyberOhio, an initiative led by Mike DeWine, Ohio’s Attorney General. CyberOhio aims to help businesses defend themselves against the ever-changing cyber threats. Legislation like the Ohio Data Protection Act is a major component of the CyberOhio initiative. It’s a way to protect businesses and consumers from the harm that data breaches cause.
The law clearly states that the Ohio Data Protection Act is not meant to be a minimum cybersecurity standard that must be achieved by businesses in Ohio. Unlike other states’ cybersecurity laws (like New York’s regulation for financial services companies), the Ohio State Data Protection Act is voluntary. It gives businesses a reason to be proactive with their cybersecurity program instead of introducing additional regulations required of them to follow.
The law does not alter any of Ohio’s current breach notification laws, but it does establish a legal safe harbor to be pled as an affirmative defense when a business is accused of failure to implement reasonable information security controls that resulted in a data breach.
Requirements of the Ohio Data Protection Act
A business seeking to comply with the Ohio Data Protection Act must do the following:
- Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal and/or restricted information and that reasonably conforms to an industry-recognized cybersecurity framework
- Design a cybersecurity program that protects the security and confidentiality of personal and/or restricted information
- Design a cybersecurity program that protects against any anticipated threats or hazards to the security or integrity of personal and/or restricted information
- Design a cybersecurity program that protects against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or fraud to the individual to whom the information relates
Because there are so many types of businesses in Ohio, the law does take scalability seriously. In 2018, the U.S. Small Business Administration reports that there are over 944,000 small businesses based in Ohio; those businesses must have the same opportunity for compliance as any other size business. The law states that the scope of a business’ cybersecurity program depends on the following factors:
- Size and complexity of the business
- Nature and scope of the activities of the business
- Sensitivity of the information being protected
- Cost and availability of tools to improve information security and reduce vulnerabilities
- Resources available to the business
Basis for a Cybersecurity Program
The Ohio Data Protection Act has selected five industry-recognized cybersecurity frameworks that businesses should model their cybersecurity programs after. These frameworks include:
- NIST Special Publication 800-171
- NIST Special Publications 800-53 and 800-53a
- CIS Critical Security Controls for Effective Cyber Defense
- ISO 27000 Family – Information Security Management Systems
The law also says that if a business is subject to any other regulations, like HIPAA, FISMA, or PCI, its cybersecurity program must also be compliant.
When a revision to any of the frameworks listed above is released, businesses complying with the Ohio Data Protection Act have one year to conform to the revised edition.
If you are interested in complying with the Ohio Data Protection Act or want to learn more, contact us today. We’d be happy to discuss how your current or future compliance efforts could align with this legislation.