In 2018, Ohio – the home of the Rock & Roll Hall of Fame – enacted a cybersecurity law that rocked cybersecurity frameworks. The Ohio Data Protection Act (“ODPA” or the Act) creates a safe harbor for organizations that adopt one of ten cybersecurity compliance frameworks. This is unique. Most other state cybersecurity laws don’t name specific frameworks.
Of course, many U.S. federal laws dictate frameworks. For example, under the Defense Federal Acquisition Regulation Supplement (DFARS), certain Defense contractors must meet the minimum security standards set forth in NIST SP 800-171. NIST frameworks are central to many U.S. federal cyber laws.
But state laws? Not so much.
There are state cybersecurity laws that require organizations to implement information security programs, but not in adherence to particular frameworks.
For example, the New York State Department of Financial Services’ (DFS) cybersecurity law of 2017 – Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500 – requires those in scope to maintain a cybersecurity program, along with specified written policies. However, there is no security framework associated with the law.
Also, the National Association of Insurance Commissioners (NAIC)’s 2017 Insurance Data Security Model Law, outlines its own framework of the best generally-accepted practices in information security. However, the model law does not mention any specific, generally-accepted cybersecurity frameworks. (Connecticut, South Carolina and Michigan passed laws similar to the model law).
Ohio, on the other hand, leapt in with a law that put IT security frameworks centerstage.
The Ohio Data Protection Act
In a nutshell, the ODPA incentivizes businesses in Ohio to voluntarily adopt a cybersecurity framework to protect consumer data. The incentive is a form of a legal safe harbor.
Essentially, if an Ohio-based organization has a data breach, it may be entitled to protections during civil litigation if it has previously enacted one of the named security frameworks explained below.
Notably, for the affirmative defense to apply in a tort action, the Ohio entity must adhere to the framework. There are caveats surrounding when the defense does and does not apply, as well as how compliance is measured and what to do about framework revisions. Also, the law does not specify how to demonstrate or document compliance – but there are industry standards to consider.
Overview of the 10 cybersecurity frameworks
There are several industry-recognized cybersecurity frameworks on which organizations can base their security. The ODPA names ten that qualify for the safe harbor provision. In short, if an organization implements and validates to one of these frameworks, it demonstrates that reasonable information security controls are in place.
Under the ODPA, the “industry recognized cybersecurity framework(s)” are:
#1: The framework for improving critical infrastructure cybersecurity developed by the National Institute of Standards and Technology (NIST)
Translation: The NIST Cybersecurity Framework (CSF)
Good fit for: Organizations of any sector or size seeking a voluntary baseline cybersecurity framework.
#2: NIST special publication 800-171
Translation: NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations). NIST 800-171 is a subset of the much more robust and complex NIST 800-53.
Good fit for: Government contractors, especially DoD contractors with DFARS requirements.
#3: NIST special publications 800-53 and 800-53a
Translation: NIST SP 800-53 (Recommended Security Controls for Federal Information Systems and Organizations).
Good fit for: Companies with more advanced cybersecurity programs
See related article: NIST 800-171 vs NIST 800-53: Big Differences.
#4: The federal risk and authorization management program (FedRAMP) security assessment framework
Good fit for: Cloud service providers that store government data or would like to be on the FedRAMP Authorized Products List. FedRAMP uses NIST 800-53, but with the added step of an audit performed by a Third-Party Assessment Organization (3PAO).
#5: The center for internet security critical security controls for effective cyber defense
Translation: CIS Controls – formerly the SANS Top 20
Good fit for: Any size businesses, especially those without other regulatory or contractual compliance mandates, as well as companies who have implemented other frameworks but are interested in improving security maturity. The CIS Controls are aligned with NIST CSF.
#6: The international organization for standardization/international electrotechnical commission 27000 family – information security management systems
Translation: ISO/IEC 27000
Good fit for: Any size company, particularly those storing sensitive data on behalf of customers.
#7: The security requirements of the Health Insurance Portability and Accountability Act of 1996, as set forth in 45 CFR Part 164 Subpart C
Translation: HIPAA Security Rule
Good fit for: Health care professionals and entities subject to HIPAA.
#8: Title V of the Gramm-Leach-Bliley Act of 1999, Public Law 106-102, as amended
Translation: Gramm-Leach-Bliley (GLB) Act Title 5 (Privacy of Consumer Financial Information)
Good fit for: Financial institutions covered by this Act.
#9: The Federal Information Security Modernization Act of 2014, Public Law 113-283
Good fit for: U.S. federal agencies.
#10: The Health Information Technology for Economic and Clinical Health Act, as set forth in 45 CFR part 162
Translation: HITECH Act
Good fit for: Healthcare professionals and entities subject to the HITECH Act.
Caveat. For Ohio entities that handle payment cards, they must comply with one of these 10 frameworks and the Payment Card Industry (PCI) Data Security Standards (DSS).
Translation: PCI DSS
Good fit for: Retail merchants and payment card information processors. A Qualified Security Assessor (QSA) company may be required to verify compliance.
The role of independent attestations of compliance
A March 25, 2019 whitepaper jointly-authored by professors and staff of The Ohio State University Moritz College of Law, Cleveland-Marshall College of Law, and The Ohio State University Moritz College of Law, put it succinctly:
“Qualified cybersecurity professionals can attest that a business’s program satisfies the cybersecurity framework it selects. In addition, several of the frameworks allow for a formal attestation of compliance. Such an attestation should significantly assist in asserting the defense but may not be sufficient on its own.”
The ODPA does not require a third-party audit to prove adherence, but court is not the place to show that you have diligently implemented and maintained hundreds of security controls. Many of the cybersecurity frameworks listed in the ODPA have a nexus with an auditing credential. FedRAMP requires a government-approved third-party assessment organization (a “3PAO”). The FedRAMP program office published the list. Also, PCI-DSS requires a Qualified Service Auditor. The PCI Security Standards Council makes that list available. In addition, ISO requires its standards to be audited by certified ISO auditors.
Validations are possible for every framework listed in the ODPA.
The strategy of choosing a cyber framework
In general, all frameworks contain a set of controls grouped into administrative, technical, and physical controls. Some are designed by public organizations, like NIST. Others are private standards, like ISO. Some require certified auditors to validate, some do not. Also, they are not one-size-fits-all. Most have a target audience in mind.
There are negatives associated with frameworks: some lack of (or perceived lack of) flexibility, they can encourage a “check-the-box” mentality, etc. However, if implemented correctly, a framework helps reduce operational cyber risk and improves IT governance. Reducing cyber risk – that’s the whole point.
However, laws that impose requirements respecting data security (and now privacy), but don’t name frameworks, can be hard to comply with. Google “GDPR compliance”. There are hundreds of diverse solution sets. Where do you start? Who do you listen to?
Choosing the right framework is a strategic decision – with lots of research required. Most organizations have drivers for picking a framework (size and complexity of infrastructure, nature and scope of IT activities, type of customer, industry-specific requirements, insurance considerations, in-house culture and resident expertise, cost, and many other factors). If they qualify for the ODPA, now they have this too.
How Sera-Brynn can help
Contact Sera-Brynn for information on how to choose the right framework or get a quote for an assessment. We perform cybersecurity compliance assessments and document compliance for organizations of all sizes — in Ohio and nationwide.
The author, Colleen H. Johnson, is Sera-Brynn’s legal analyst and can be reached at firstname.lastname@example.org.