Ohio has become the first state to enact legislation providing liability protection for businesses that implement a written cybersecurity program that “reasonably conforms” to certain cybersecurity frameworks or laws to protect personal information. This approach is in stark contrast to that taken by California in its recently-passed Consumer Privacy Act, which established a private right of action against organizations that fail to maintain such reasonable security measures.
The Ohio law makes available protections to businesses that access, maintain, communicate, or process “personal information” or “restricted information” via systems, networks, or services located in or outside of the state. Personal information has the same definition as the state’s breach notification law. Restricted information means any other information about an individual that, alone or in combination with other information, can be used to distinguish or trace an individual or that is linked or linkable to an individual, the breach of which is likely to result in a material risk of identity theft or fraud to person or property.
The liability protection provided by the law is an affirmative defense to any tort complaint brought under the laws of Ohio or in an Ohio court, which alleges that the failure to implement reasonable information security controls resulted in a data breach. To qualify for the affirmative defense, the business must have implemented a written cybersecurity program containing administrative, technical, and physical safeguards for the protection of personal information and/or restricted information that:
- Reasonably conforms to one of a designated set of cybersecurity standards or laws; and
- Is designed to protect the security and confidentiality of the information, protect against anticipated threats or hazards to security or integrity, and protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud; and
- Is appropriate in scope and scale in light of the size and complexity of the business, the nature and scope of the business’ activities, the sensitivity of the information, the cost and availability of tools to improve security and reduce vulnerabilities, and the resources available to the covered entity.
The standards with which a business’s security program may conform include the NIST Cybersecurity Framework; NIST’s SP 800-171, SP 800-53 and 800-53a; FedRAMP; the CIS Controls; and the ISO 27000 family. The affirmative defense is also available where a business’s cybersecurity program conforms to the PCI Data Security Standard (PCI DSS) and one of the other standards. Finally, a business that is regulated or that is subject to certain security regulations can also take advantage of the affirmative defense if its cybersecurity program reasonably conforms to one of several data security laws and regulations, including the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, Title V of the Gramm-Leach-Bliley Act (GLBA), the Federal Information Security Modernization Act of 2014, and the Health Information Technology for Economic and Clinical Health (HITECH) Act (45 CFR part 162).
The list of frameworks and laws/regulations raises several questions. For instance, the standards listed vary in terms of complexity and the burden of implementation, raising the question of why a business would choose to implement a more complex standard (e.g., NIST SP 800-53) over a less stringent one (e.g., NIST SP 800-171, which is ostensibly a slimmer version of SP 800-53). In addition, the law would provide an affirmative defense to businesses that implement a cybersecurity program that reasonably conforms to some laws/regulations that don’t always address specific cybersecurity requirements, such as GLBA and the portion of the CFR cited in relation to HITECH. Finally, it is unclear from the law why an entity would choose to implement the PCI DSS in addition to another framework if it has the option of implementing a single security standard to gain the affirmative defense provided by the statute.
Moreover, proving that a business qualifies for the safe harbor is likely to be challenging to establish. For example, some of the standards (e.g., NIST) do not have a standard certification process, so it may be difficult to demonstrate reasonable conformity with such standards. It is likely to be similarly challenging to demonstrate conformity with the specified data security laws, given the flexible nature of their requirements (e.g., the HIPAA Security Rule includes some requirements that are “addressable” but not necessarily “required”).
Nevertheless, in light of the increasing data security risks for many organizations, the Ohio Data Protection Act may grant some relief. And for observers concerned that a law such as Ohio’s could have the unintended effect of creating a cybersecurity standard of care or otherwise creating a roadmap to plaintiffs, the bill also provides that it “shall not be construed to provide a private right of action” and that it “is intended to be an incentive” and does not “create a minimum cybersecurity standard that must be achieved[.]”