Last August, Ohio Governor John Kasich signed into law a revolutionary piece of legislation called the Ohio Data Protection Act (2018 SB 220). The first of its kind in the United States, the Ohio Data Protection Act encourages businesses to adopt strong cybersecurity practices to protect consumer data. If an Ohio business voluntarily complies with one of several industry-standard cybersecurity frameworks (listed below), they will be rewarded by being able to use their compliance as an affirmative defense in court if they should fall victim to a cyber attack or data breach.
An affirmative defense allows a defendant to introduce evidence, that if found credible, can negate civil liability, even if the allegations are true.
How does the Ohio Data Protection Act Work?
In order to use the affirmative defense, Ohio businesses must prove that they are compliant with one of the eleven approved cybersecurity frameworks. Many of the frameworks below have no official auditing body; however, the presence of a Systems Security Plan (SSP), Plan of Action and Milestones (POAM), an Incident Response Plan (IRP), and other supporting documentation go a long way towards demonstrating a business’ efforts towards compliance with its cybersecurity framework of choice.
Ohio Data Protection Act – Supported Cybersecurity Frameworks
Health Insurance Portability and Accountability Act (HIPAA)
Health Information Technology for Economic and Clinical Health (HITECH) Act
Gramm-Leach-Bliley Act (GLBA)
Federal Information Security Management Act (FISMA)
NIST Special Publication 800-53
NIST Special Publication 800-53A
NIST Special Publication 800-171
Federal Risk and Authorization Management Program (FedRAMP)
The Center for Internet Security’s Critical Security Controls (CIS CSC)
International Standard for Organization (ISO) / International Electrotechnical Commission (IEC) 27000
Payment Card Industry – Data Security Standard (PCI-DSS)*
*PCI-DSS – PCI compliance alone will not fulfill the cybersecurity framework conformance requirement of the Ohio Data Protection Act. A company must be compliant with one of the other 10 standards listed here to be fully compliant with the Ohio Data Protection Act.
What about Small Businesses?
Yes! Small businesses are covered too. The Ohio Data Protection Act accounts for the fact that small businesses don’t have the same resources to spend on cybersecurity compliance as their larger counterparts. The degree of compliance required of any one business is judged based on the following business characteristics:
- Cost of Compliance
- Resources Available
In other words, a giant multi-national corporation would be expected to spend more time/money/effort towards conformity of NIST 800-171 than a small “mom and pop” machine shop. Luckily, small manufacturers can get NIST 800-171 and FedRAMP compliance help from their local Manufacturing Extension Partner.
This Sounds Too Good to be True…
Yes, it does! To be honest, the legislation is still pretty new and there’s not a lot of case history where companies have successfully used the Ohio Data Protection Act as an affirmative defense in the wake of a cyber security breach.
Even if a company does use the ODPA as an affirmative defense, they might have a hard time establishing that the company had reasonable cyber security protections in place at the time of their breach. Because the Act stipulates only “reasonable” protections based on the qualifiers above, I think there will still be plenty of time spent in court arguing whether a business fulfilled their obligations of data protection or not.
So… The ODPA isn’t a “get out of jail free” card but it does provide positive encouragement for companies to consider their cyber security posture before a breach so we still support it.
What if I’m not Compliant?
Believe it or not, the Ohio Data Protection Act is all carrot and no stick. That’s why it’s so revolutionary! Many industries have regulatory standards around cybersecurity (HIPAA in the medical field, NIST 800-171 in manufacturing) that must be met but it’s up to the different governing bodies to enforce those standards and levy fines and penalties for non-compliance. For example, the US Department of Health and Human Services regulates HIPAA.
Again, the Ohio Data Protection Act WILL NOT penalize you if you don’t meet one of the stated cybersecurity standards. Don’t you want to do the right thing and make sure you’re compliant anyway though?
How do I get Compliant?
To be honest, it depends on your industry. If you’re a manufacturer handling Confidential but Unclassified Information (CUI) then NIST 800-171 is for you. If you’re in the medical field then HIPAA or HITECH is going to be a better fit.
Either way, just contact us and we’ll be happy to help you figure out what the ODPA means for your business. Whether you’re looking for cybersecurity help or you’d like an IT assessment of where your company might need a quick tune-up we’ll be happy to help. That’s what we’re here for!
Launched in 2016, the goal of CyberOhio is to help foster a legal, technical, and collaborative cybersecurity environment to help Ohio businesses thrive. In addition to promoting legislation, other parts of the initiative include training opportunities for businesses, development of cybersecurity workforce personnel, and expansion of the Ohio Attorney General‘s Identity Theft Unit.