In November 2018 Ohio’s Data Protection Act (Ohio Rev. Code § 1354.01, et seq.) went into effect. A first-if-its-kind state law, it provides a company with an affirmative defense, to tort claims arising out of a data breach as long as the company can prove it had a cybersecurity program in place that meets an industry-recognized framework. Under the law, an affirmative defense is a defense that will negate liability of alleged unlawful conduct. This type of defense doesn’t dispute the truth of the elements of a plaintiff’s claim that a company experienced a data breach that compromised personal information. Instead, it argues that the plaintiff cannot legally assert a claim against the company once the company proves that it meets all the elements of the affirmative defense.
An Affirmative Defense is a Carrot, Not a Stick
The Ohio law is novel because it presents covered organizations with a positive inducement, or “carrot,” to enact information security programs that are based on certain industry-recognized cybersecurity frameworks. Most laws are based on negative or punitive inducements (e.g., a “stick”) to compliance and are written to compel a particular behavior in order to avoid an undesirable result like fines, regulatory actions, or lawsuits. The Ohio law does the reverse and essentially states “enact and follow good information security programs in the manner the law prescribes, and this law will protect you in a civil action for a data breach that discloses personal information.”
The Ohio law, which only applies to legal actions brought in the state of Ohio or its courts, is voluntary and businesses are not required to follow it (although if they do, they receive the benefit of the law in the form of the granted affirmative defense). In addition, the law does not prioritize one industry-recognized cybersecurity framework over another and is not intended to create a minimum cybersecurity standard that businesses in Ohio must follow.
The new law entices businesses to practice good cybersecurity hygiene practices, and may realize the twin benefits of reducing data breaches and protecting consumer data as a result.
The new law entices businesses to practice good cybersecurity hygiene practices, and may realize the twin benefits of reducing data breaches and protecting consumer data as a result. For businesses that implement cybersecurity programs based on industry-recognized frameworks and still experience a data breach, the Ohio law provides a safety net of sorts in that it recognizes that “data breaches happen.” This pragmatic acknowledgment of the difficulties inherent in securing businesses and data from rapidly evolving cyber threats may help stimulate economic activity within the state.
“In terms of cybersecurity, this new law changes the business climate in Ohio that will offer not only an advantage for Ohio-based businesses and organizations, but also an incentive for businesses to locate in Ohio,” said Tom Siu, Chief Information Security Officer at Case Western Reserve University in Cleveland, Ohio. “It is also a win for consumers to know that Ohio is the place where cybersecurity programs are part of our ‘fine Midwestern sensibilities’ and will reduce the risk and worry they may have about data breaches.”
Elements of the Ohio Data Protection Act
The Data Protection Act applies to businesses organized or operating in the State of Ohio that use or store personal or restricted information. It covers nonprofit and for-profit businesses, as well as public and private educational institutions.
To take advantage of the safe harbor, covered businesses must “create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards” for the protection of personal and/or restricted information that is based on current versions of one of the following industry-recognized frameworks:
- The NIST Cybersecurity Framework (CSF)
- NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations)
- NIST SP 800-53 (Recommended Security Controls for Federal Information Systems and Organizations) or SP 800-53a
- Federal Risk and Authorization Management Program (FedRAMP)
- Center for Internet Security’s Critical Security Controls
- International Organization for Standardization/International Electrotechnical Commission’s 27000 Family – Information Security Management Systems
While covered businesses must be able to show that they have implemented and reasonably comply with an industry-recognized cybersecurity framework, the law also allows for some flexibility in how a covered business implements a framework. Under the law, businesses may modify the scale and scope of their program based on the:
- Size and complexity of the business;
- Nature and scope of the activities of the business;
- Sensitivity of the information to be protected;
- Cost and availability of tools to improve information security and reduce vulnerabilities; and
- Resources available to the business.
The law also contains protection for entities that are regulated by state or federal governments. For example, businesses with cybersecurity programs that comply with current versions of the HIPAA Security Rule, the Gramm Leach Bliley Act, FISMA, or the HITECH Act may also take advantage of the law. The is one caveat for businesses that accept credit cards for payment–they must also comply with the PCI Data Security Standard in order to take advantage of the affirmative defense.
What Does the Ohio Data Protection Act Mean for Higher Education Institutions?
When it was first promulgated, the Ohio Data Protection Act did not include higher education institutions in the definition of “businesses” that could take advantage of the law. However, the Ohio legislature amended the law in late December 2018 to specifically include public and private educational institutions in that definition. This is good news for higher education institutions in Ohio because it means that if they comply with the law, and can demonstrate that compliance, they will be able to use the affirmative defense should they be sued in Ohio for a data breach that discloses personal information. It is also good news for institutions not located in Ohio that may experience a data breach involving the personal data of Ohio residents as the institution can take advantage of the affirmative defense in any subsequent data breach case that may be initiated in an Ohio court.
Colleges and universities are particularly well-suited to take advantage of the Ohio Data Protection Act because of their long history of being subject to laws and regulations surrounding the different types of personal data that they collect. These laws, like HIPAA and GLBA, have long-mandated the creation of cybersecurity programs. Higher education institutions can take maximum advantage of this law by adopting a unified compliance approach for their cybersecurity programs. Meaning, rather than scoping or limiting the auspices of their programs to different data elements or specific regulations, campus cybersecurity programs should be based on an industry-recognized standard, implemented on an institution-wide basis, and then scoped appropriately for the needs of the institution. Institutions should also follow good information security governance practices like ensuring that programs are well-documented, that staff and faculty receive training on the program, and that reviews regularly take place to document institutional compliance with program.
David Seidl, Vice President for Information Technology and Chief Information Office at Miami University in Oxford, Ohio describes the Data Protection Act as a win for higher education in Ohio. “The amendment to the Ohio Data Protection Act was something we were really pushing for. Many colleges and universities have already adopted elements of the standards described in the Act,” Seidl said. “Now each institution has the opportunity to assess what they are doing and to align their policies and programs to eliminate the often-fractured islands of mandated compliance, allowing them to take advantage of the affirmative defense. It can help CIOs and information security officers push forward consistent security practices and policies organization wide.”
“The Ohio Data Protection Act can help CIOs and information security officers push forward consistent security practices and policies organization wide.”
David Seidl, Vice President for Information Technology and CIO at Miami University of Ohio
The Ohio Data Protection Act represents a new approach to encouraging businesses, including higher education institutions, to invest time and attention on their cybersecurity programs in order to protect the personal data of their constituents. The law definitely presents organizations with a carrot to improve their information security posture, rather than wielding a stick. If Ohio can show that the law is successful in encouraging organizations to adopt good cybersecurity practices, other states may be enticed to enact similar laws in the future if the Ohio Data Protection Act helps draw businesses (and money) to the state of Ohio.
This post was authored by Joanna Lyn Grama, JD, CISSP who is a Senior Consultant at Vantage Technology Consulting Group where she advises clients on information security policy, compliance, governance and data privacy issues. Portions of the content in this blog were first published in EdScoop on January 28, 2019. Note that this article does not constitute legal advice. Organizations seeking advice on the application of the Ohio Data Protection Act or any of the laws mentioned in this article should consult with their legal counsel.