Little more than one month after California enacted the sweeping California Consumer Privacy Act, reinforcing and expanding individual citizen’s privacy rights, Ohio Governor John Kasich signed into law S.B. 220, the Ohio Data Protection Act (“DPA”) to be codified at Ohio Rev. Code §§ 1354.01-.05. Where the California law focuses largely on the rights of individuals to control their personal data (mimicking to a lesser extent the European Union’s expansive General Data Protection Regulation), the Ohio legislation is directed at encouraging the state’s business community to get its cybersecurity affair’s in order to better protect against risks to consumer and employee data. The net/net of Ohio’s new law should be a win/win for individuals and for Ohio companies.
A product of Ohio Attorney General (and GOP gubernatorial candidate) Mike DeWine’s CyberOhio Initiative, the DPA is largely a response to the growing and ever-present risks of data breaches. While the DPA does not remove or modify any of the existing statutory notice obligations upon discovery of a breach event (Ohio Rev. Code § 1349.19), and does not insulate businesses experiencing a breach from the risk of liability, the measure provides an explicit path that businesses can (and should) follow to lessen exposure.
Making explicit reference to industry-adopted frameworks (Ohio Rev. Code § 1354.03), and providing guidelines for scaling the cybersecurity measures to fit the size and nature of the business organization (Ohio Rev. Code § 1354.02(C)), the aspirational goal for the DPA is to provide businesses with both flexibility and certainty in building (or improving) and implementing a cybersecurity program. The payoff for businesses is at least two-fold:
- The creation (or improvement) of data protection procedures governing the collection, maintenance and use of personal data, thereby lessening the risk of a data breach event; and
- The ability to assert a “safe harbor” defense against any tort claims asserting inadequate data security measures in the event of a breach exposing or revealing personal information.
The DPA takes effect November 2, 2018, so it remains an open question whether businesses will take advantage of this hedge against the risks presented by a breach event. But companies need only look at the ever-increasing number of breach events over the last dozen years — and the resulting costs to remedy the breach and often abate the trailing litigation expense and exposure — to gauge whether investing in an audit of existing procedures and putting a new or improved plan in place makes good business sense.
So what is required to qualify for safe harbor protection? The DPA (Ohio Rev. Code § 1354.02(B)) requires a company to implement a cybersecurity program designed to:
- protect the security and confidentiality of personal information;
- protect against any anticipated threats or hazards to the security or integrity of personal information within the company’s control; and
- protect against unauthorized access to, and acquisition of, information that is likely to result in a material risk of identity theft or other fraud.
Again, the DPA as enacted recognizes that no two organizations are quite the same, so scaling of an effective program may take into account the size and type of organization, as well as the type of personal information to be protected, and the cost and availability of resources to implement an effective program. Ohio Rev. Code § 1354.02(C). There is, of course, little detail in these factors, so some challenges to compliance efforts are inevitable down the road. However, importantly, in an effort to further guide organizations in their cybersecurity compliance efforts, the DPA (at § 1354.03) details several industry-recognized frameworks, “reasonable conformity” with which is required to effectively assert safe harbor status. Those industry-specific frameworks include but are not limited to:
- The National Institute of Standards and Technology’s (NIST) Cybersecurity Frameworks;
- The Federal Risk and Authorization Management Program (FedRAMP) security assessment framework;
- The Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) for healthcare industry businesses subject to HIPAA oversight;
- The Federal Information Security Modernization Act of 2014 (P.L. 113-283); and
- The Safeguards Rule of the Gramm-Leach-Bliley Act, for certain financial institutions.
The patchwork quilt of state data breach laws presents a compliance quagmire for businesses operating across state lines and, indeed, overseas. There have been many efforts in recent years to pass federal data breach legislation setting a national standard, but congressional action has bogged down in the last several sessions. Most state breach laws focus on notice and disclosure obligations in the event of a breach, with financial sanctions often included to motivate notice compliance. While Ohio’s new DPA is fresh on the books and supplements existing breach notice and disclosure obligations, it is an important step forward in terms of how businesses consider and address cybersecurity challenges. Where most state breach laws seek to motivate through threat of punitive measures, Ohio’s DPA offers a fresh and affirmative next step forward.
If Ohio’s business community takes advantage of the DPA’s incentives, the proactive, and prophylactic work to enhance cybersecurity protections will pay dividends by reducing liability exposure and help to minimize not only potential damages but also reputational harm in the event of a breach event.