October is cybersecurity awareness month – what is your company doing to manage your risk? From traditional retailers and restaurants to newspapers and social media sites, data breaches in 2018 have affected businesses and consumers across a wide range of industries. When a breach occurs, businesses face costly investigations, mandatory notifications, unwanted negative publicity, and even litigation. But, starting on November 2, 2018, companies in Ohio may benefit from an affirmative defense that could potentially shield them from significant costs associated with certain tort claims that follow a data breach.
The Ohio Data Protection Act
, the first of its kind in the country, was signed into law by Gov. Kasich on August 3, 2018, and is intended to provide a legal incentive for businesses to adopt and implement data security protocols that are the best available for its type of business. The Act will provide an affirmative defense against allegations that the failure to implement reasonable information security controls resulted in a data breach concerning personal information to any business that qualifies as a “covered entity.” Covered entities are those businesses that access, maintain, communicate, or process personal information or restricted information. "Personal information" includes an individual's name, in combination with a persons’ unencrypted social security number, driver’s license or state identification number, or account, credit, or debit card number with any security code or password that would permit access to an individual’s financial account. “Restricted information" includes any unencrypted information about an individual that can be used to distinguish or trace the individual's identity or that is linkable to an individual, the breach of which is likely to result in a material risk of identity theft or other fraud.
To qualify for the affirmative defense, businesses must create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information and restricted information and that reasonably conforms to an industry recognized cybersecurity framework. The Data Protection Act also updates the Uniform Electronic Transaction Act to give legal effect to transactions recorded by blockchain technology
. This legislation is part of a growing effort to make Ohio’s legal landscape conducive to rapidly-evolving technology advancements and was enacted as part of Ohio Attorney General Mike DeWine’s CyberOhio Initiative.
To qualify for the defense, a business must implement written cybersecurity measures designed to: (1) protect the security and confidentiality of personal information; (2) protect against any anticipated threats or hazards to the security or integrity of the personal information; and (3) protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates. The scale and scope of the cybersecurity program necessary to qualify depends on what is appropriate for the business and must be based on all following factors: the size and complexity of the business, the nature and scope of its activities, the sensitivity of information protected under the program, the cost and availability of tools to improve information security and reduce vulnerabilities, and the resources available to the business.
Beyond that, a covered entity’s cybersecurity program must “reasonably conform” to one of several industry-recognized or regulatory frameworks, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the Federal Risk and Authorization Management Program (FedRAMP), the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry’s Data Security Standards (PCI-DSS), among others. A business bears the burden of proof to establish that its cybersecurity protocols reasonably conform with one of the applicable frameworks, and it has an ongoing duty to ensure that its cybersecurity program reasonably conforms to any revisions to the applicable frameworks not later than one year after the applicable revision date.
Though the creation of this affirmative defense is a step in the right direction in reducing the risk exposure of companies that experience a data breach, its protection is noticeably limited in scope to certain types of tort claims, leaving even those businesses who have robust cybersecurity programs vulnerable to statutory violations, such as data breach notification requirements, or claims based in contract, such as a business-vendor dispute. This is a good opportunity to evaluate what types of information your business collects, maintains, and shares, as well as the current safeguards in place to protect that information. No company is immune to the threat of a data breach, and companies should approach data protection as a question of when
a breach will occur, rather than if
. At this point, cybersecurity risks should be considered as part of your organization’s risk management processes. Before a breach occurs, take the steps to protect your company including implementing your cybersecurity program and examining your litigation insurance policy to determine if a breach would be covered. In any event, be sure to designate your Frantz Ward attorney on your insurance policy to ensure your interests are protected when the time comes.