Ohio’s New Cybersecurity Law Grants Data Breach Litigation Safe Harbor

Ohio’s law – effective November 2018 – creates a safe harbor for organizations that adopt one of 10 cybersecurity compliance frameworks.

ohio flagWith a new cybersecurity law, the home of the Rock and Roll Hall of Fame is now rocking the cybersecurity framework discussion.

Effective November 2, 2018, Ohio’s law puts cybersecurity frameworks centerstage. The law (Senate Bill 220) incentivizes businesses in Ohio to voluntarily adopt cybersecurity frameworks to protect consumer data.  The incentive to act comes in the form of a legal safe harbor.

Essentially, if a company has a data breach, it may be entitled to protections during civil litigation if it has previously enacted one of the named security frameworks listed below.

This legislation has attracted interest because…

Data breaches are expensive.

The most expensive data breach fines and settlements include:

  • Uber’s $148 million nationwide settlement with the states for a 2016 breach (and a private class action is being litigated in California).
  • Yahoo’s $85 million for its 2013 breach (about $36 per record). This includes $35 million to the SEC and $50 million to settle the subsequent class action lawsuit.
  • Tesco Bank’s $21 million for its 2016 breach – a UK government fine.
  • Anthem’s $16 million government fine for a 2015 breach – plus a $115 million pay out in 2017 to settle a class action lawsuit.
  • University of Texas MD Anderson Cancer Center’s $4.3 million to the US government for HIPPAA violations from 3 data breaches between 2012 and 2013.

For many companies doing business in Ohio, picking a cyber framework or improving compliance percentages will now be a short-term goal.

frameworkLet’s talk frameworks.

Ohio’s new law identifies specific industry-recognized cybersecurity frameworks on which businesses can base their security and use the safe harbor provision.  In short, if you implement one of these frameworks, you demonstrate that reasonable information security controls are in place.

Under the new law, Ohio’s “industry recognized cybersecurity framework(s)” are:

#1:  The framework for improving critical infrastructure cybersecurity developed by the national institute of standards and technology (NIST)

Translation: The NIST Cybersecurity Framework (CSF)

Good fit for: Organizations in any sector, of any size seeking a voluntary baseline cybersecurity framework

#2: NIST special publication 800-171

Translation: NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations). NIST 800-171 is a subset of the much larger NIST 800-53.

Good fit for: Government contractors, especially DoD contractors with DFARS requirements

#3: NIST special publications 800-53 and 800-53a

Translation: NIST SP 800-53 (Recommended Security Controls for Federal Information Systems and Organizations).

Good fit for: Companies with more advanced cybersecurity programs

Read our blog:  NIST 800-171 vs NIST 800-53: Big Differences

#4: The federal risk and authorization management program (FedRAMP) security assessment framework

Translation: FedRAMP

Good fit for: Cloud service providers that store government data or would like to be on the FedRAMP Authorized Products List. FedRAMP uses NIST 800-53, but with the added step of an audit performed by a Third-Party Assessment Organization (3PAO).

#5: The center for internet security critical security controls for effective cyber defense

Translation: CIS Controls – formerly the SANS Top 20

Good fit for: Any size businesses, especially those without other regulatory or contractual compliance mandates, as well as companies who have implemented other frameworks but are interested in improving security maturity. The CIS Controls are aligned with NIST CSF.

#6: The international organization for standardization/international electrotechnical commission 27000 family – information security management systems

Translation: ISO/IEC 27000

Good fit for: Any size company, particularly those storing sensitive data on behalf of customers

#7: The security requirements of the Health Insurance Portability and Accountability Act of 1996, as set forth in 45 CFR Part 164 Subpart C

Translation: HIPAA Security Rule

Good fit for: Health care professionals and entities subject to HIPAA

#8: Title V of the Gramm-Leach-Bliley Act of 1999, Public Law 106-102, as amended

Translation: Gramm-Leach-Bliley (GLB) Act Title 5 (Privacy of Consumer Financial Information)

Good fit for: Financial institutions covered by this Act

#9: The Federal Information Security Modernization Act of 2014, Public Law 113-283

Translation: FISMA

Good fit for: U.S. federal agencies

#10: The Health Information Technology for Economic and Clinical Health Act, as set forth   in 45 CFR part 162 

Translation: HITECH Act

Good fit for: Healthcare professionals and entities subject to the HITECH Act

Caveat. For entities that handle payment cards, they must comply with one of these 10 frameworks and the Payment Card Industry (PCI) Data Security Standards (DSS).

Translation: PCI DSS

Good fit for: Retail merchants and payment card information processors. A Qualified Security Assessor (QSA) company may be required to verify compliance.

Legal details.

For the affirmative defense to apply in a tort action, the entity must be adhering to the framework.  There are caveats surrounding when the defense does and does not apply, as well how compliance is measured and what to do about framework revisions.  The law does not specify how to demonstrate compliance and perform periodic assessments.  However, independent, third-party assessments are typically beneficial and, in some sectors, industry standard.

Choosing a cyber framework is a strategic decision.

So, thank you Ohio for shedding more light on the topic of cybersecurity framework options.  Choosing the right framework is a strategic decision.  To explore that topic more, read our blog: What Cyber Framework Should My Organization Follow?

How Sera-Brynn can help.

Contact us for information on how to choose the right framework or get a quote for an assessment. We perform cybersecurity compliance assessments and document compliance for organizations of all sizes — in Ohio and nationwide.

The author, Colleen H. Johnson, is Sera-Brynn’s legal analyst and can be reached at colleen.johnson@sera-brynn.com.