Ohio Data Protection Act:  A Safe Harbor from Cyber Liability

April 30, 2019

Although the cybersecurity industry has recently made great strides at reducing the number of digital attacks, bad actors continue to surprise the internet with increasingly sophisticated and intelligent strategies for breaching online data. This ongoing issue has become a painful and expensive thorn in the side of businesses around the country, many of whom have suffered significant losses, both financial and otherwise, at the hands of hackers. 

As a result, most responsible entities with an online presence have committed themselves to strengthening and protecting their network systems through robust cybersecurity tools, continuous training, and sizable service fees. 

But despite these best efforts, some organizations still find themselves in hot water when a malicious attack on their system succeeds.

The Struggle

Up until now, the impetus for protection has been on the business itself, which must work with internal audit to maintain and comply with an industry-defined cybersecurity program. Otherwise, it faces  punitive legal repercussions from both the US government and the public. 

This relationship has left many organizations around the US feeling abandoned in the deep end of the pool, where there is no safety from the ongoing cyber threats of today. In response, several states, such as California, Delaware, and Connecticut, have instituted Data Privacy laws to regulate how personal online information is handled. 

However, the state of Ohio recently took the trend one step further, when Attorney General Mike DeWine collaborated with Governor John Kasich to implement the Ohio Data Protection Act (DPA), which took effect on August 3rd, 2018. According to Jones Day:

The Ohio Data Protection Act ("Ohio DPA") provides a safe harbor against data breach lawsuits for businesses that implement and maintain cybersecurity programs that meet certain industry-recognized standards.

The Ohio DPA incentivizes businesses to implement and maintain an effective cybersecurity program by providing an affirmative defense to certain tort actions related to data breaches. The law does not require businesses to comply with the Ohio DPA. Rather, a business that can demonstrate its cybersecurity program meets certain enumerated standards is eligible for the defense to liability for the breach.

As the first law of its kind, the Ohio DPA has offered much-needed support to businesses in need of protection after disciplinary action has been taken against them. The law is also the first piece of legislation signed by Ohio Attorney General Mike DeWine’s CyberOhio Initiative. Jones Day goes on to state:

The Ohio DPA provides two incentives for businesses: (i) the DPA provides the opportunity for businesses to evaluate and improve their current program, which, as a result, lessens the likelihood of a data breach; and (ii) if such a breach still occurs, the DPA provides a safe-harbor defense against tort claims asserting that the business has inadequate data security measures.

Although other states in the country require companies to comply with specific cybersecurity compliance standards and punish companies that suffer data breaches, Ohio is the first state to provide an affirmative defense as an incentive to adopt industry-standard cybersecurity practices. Affirmative defense, to clarify, is admitting “guilt” but then explaining why the actions were still lawful. This is in contrast with a normal defense where the party would try to prove no guilt at all. The law went into effect on November 2, 2018.

The Blame Game

When there is a data breach, people always look for someone to blame, and this responsibility typically falls on the shoulders of the victimized company. In truth, even relatively insignificant attacks can result in the loss of sensitive information, which means companies are always on the lookout for ways to limit their liability. 

The Ohio DPA essentially offers “safe harbor” to any business that “accesses, maintains, communicates, or processes personal or restricted information” by providing them with an affirmative defense in data breach claims on tort law. By invoking this defense—assuming the case arises under tort law and falls under Ohio jurisdiction—businesses can refute liability in some instances where they are accused of failing to implement reasonable cybersecurity measures, which resulted in a successful data breach. 

According to the Ohio State Bar Association:

Ohio enacted the Data Protection Act, which provides an incentive-based program for businesses to strengthen their cybersecurity practices. Specifically, the DPA provides companies with a safe harbor against data breach claims sounding in tort (such as negligence) brought under the laws or in the courts of Ohio for companies that implement, maintain and comply with one of several industry-recognized cybersecurity programs. Significantly, contained in the text of the DPA is an express provision which provides that the Act does not “create a minimum cybersecurity standard that must be achieved” or “impose liability upon businesses that do not obtain or maintain practices in compliance with the act.” Instead, the DPA endeavors “to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.”

The measure has resonated so well with businesses that many other states are beginning to follow suit. The Ohio DPA also understands that different companies have different needs and available resources to support cybersecurity efforts. To cater to the various businesses in the state, the Ohio DPA considers individualized factors, which determine the adequate scope of the company’s program, according to the law. 

Today, companies abiding by Ohio DPA can choose between different cybersecurity frameworks, and they have the freedom to select the one that best suits their history and circumstances.

3 Ways To Take Advantage of the Safe Harbor Provision

Companies who want to take advantage of the safe harbor provision under the Ohio DPA must develop a cybersecurity program that meets the following requirements:

  1. Protect the security and confidentiality of sensitive and personal information.
  2. Protect against anticipated hazards or threats and secure the integrity of personal information.
  3. Prevent unauthorized access to personal information that may result in a material or real risk of identity theft or other scams or fraud that affect individuals and customers. 

Again, the Ohio DPA realizes that all companies are different, and it makes allowances for companies who want to define the scale and scope of their cybersecurity program. The law takes into account the following factors:

  • The size, mission, and complexity of a company
  • The range and nature of the company’s activities
  • The sensitivity of the information the company wants to protect
  • The availability and cost of tools designed to improve cybersecurity and close cybersecurity loopholes and gaps
  • The company’s available cybersecurity resources

Under the Ohio DPA, a local skincare store will not be required to meet the same cybersecurity standards as a healthcare organization with thousands of employees and daily dealings with secure and personal data. 

The Ohio State Bar Association does clarify that the Ohio DPA has some special requirements for specific businesses:

For businesses that accept payment cards, to qualify for the affirmative defense, these organizations’ cybersecurity programs must comply with the Payment Card Industry’s Data Security Standards (PCI-DSS), in addition to one of the generally applicable frameworks identified above. Similarly, companies subject to certain state or federally mandated sector-specific laws may rely on the affirmative defense if—in addition to conforming with one of the above generally applicable frameworks—they can establish that their plan conforms to any additional security requirements, such as the security requirements identified in the Health Insurance Portability and Accountability Act (HIPAA), Title V of the Gramm-Leach-Bliley Act (GLBA), the Federal Information Security Modernization Act (FISMA), or the Health Information Technology for Economic and Clinical Health Act (HITECH).

Defining Reason

Today, the definition of what is “reasonable” in the world of cybersecurity exists in industry-recognized frameworks. Part of the struggle for modern companies lies in deciding what is reasonable for them, and how to go about adopting structures that suit their purposes and needs. Using a series of specialized applications, Apptega can help your organization to efficiently build, manage, and report a program that complies with any of these standards:

  • National Institute of Standards and Technology (NIST) Cybersecurity Framework
  • NIST Special Publications 800-53, 800-53A, or 800-171
  • American Institute of Certified Public Accountants SOC for Service Organizations (SOC 2)
  • Center for Internet Security Critical Security Controls (CIS CSC)
  • International Organization for Standardization (ISO 27001)
  • Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule Subpart C
  • Federal Information Security Modernization Act of 2014 (FISMA)
  • Payment Card Industry standard (PCI) plus another listed framework
  • The New York Department of Financial Services 23 NYCRR 500 (NYDFS 500)

According to Jones Day, “Businesses regulated by states and/or federal governments must "reasonably conform" to one of the following cybersecurity frameworks, if applicable to that particular business:

  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule;
  • Title V of the Gramm-Leach-Bliley Act of 1999;
  • The Federal Information Security Modernization Act of 2014 (FISMA); or
  • The Health Information Technology for Economic and Clinical Health Act (HITECH).”

By following the Ohio DPA’s requirements and guidelines, companies can close the cybersecurity gaps they may be facing, and access the incentives set forth by this intelligent and forward-thinking program. 

Key Takeaways: Understanding the Ohio DPA

While the Ohio DPA’s flexibility makes it a unique and welcome law for many business owners, it can also make the law feel more challenging to understand. With that in mind, here are five key takeaways to ensure you understand Ohio DPA, and can implement its guidelines accordingly, as your business sees fit:

  1. There are no Minimum Standards
    Unlike other cybersecurity laws, The Ohio DPA does not establish a minimum standard that it holds all companies. Instead, it takes various company factors into account, including a company's size, specialty, and available resources. 
  2. The Ohio DPA Does not Modify Ohio’s Current Notification Laws
    These laws, which require businesses to provide notice of data breaches as outlined in the Ohio Revised Code (O.R.C. 1349.19), remain intact. Instead of replacing these laws, the Ohio DPA complements and enhances them. 
  3. The Ohio DPA Provides an Affirmative Defense
    This affirmative defense is available to tort actions for plaintiffs who make claims based on Ohio law. 
  4. The Ohio DPA Provides an Incentive
    The Ohio DPA was primarily established to provide an incentive for companies who want to review their current cybersecurity programs, decide how susceptible they are to breaches, and what they want to do about that. 
  5. The Ohio DPA Cannot Protect Against all Breaches
    Not all cyber attacks are avoidable. This means that companies who wish to use Ohio DPA should see it as an opportunity rather than a safeguard. These companies can implement qualifying cybersecurity programs now, to take advantage of the statutory affirmative defense to the claims that frequently follow breaches.

Apptega’s Solution

Any business in compliance with one of these listed frameworks has the freedom to tailor the scope of their cybersecurity program to meet their unique professional needs. Each Apptega application represents an element of control in your company’s broader cybersecurity compliance and management. By sharing data with other applications through a single online dashboard, you can save yourself hours of manual administrative work while offering unprecedented visibility and control of your entire security program. How you design this program will depend on various factors like the activity, size, complexity, profitability, resources, and sensitive nature of your business. In a nutshell, these frameworks demand companies implement security programs that protect against these three things:

  • Unsafe storage and dissemination of digital data
  • Anticipated threats or hazards to the security or integrity of the information
  • Unauthorized access and theft of any data likely to result in stolen identity or other fraud

These guidelines offer businesses a way to stay proactive in their cybersecurity efforts while continuing to gather and disseminate sensitive online data. It also incentivizes companies who are not currently adhering to recommended security protocols to get on board and protect themselves—and their customers. With the combined protection of Apptega’s cybersecurity management software and innovative laws like the Ohio DPA, businesses can now find a safe harbor in the ongoing storm of digital life.

Schedule a demo today to learn more.