Ohio Passes First ‘Safe Harbor’ Law Incentivizing Cybersecurity Controls

The new law will establish legal protections for organizations that voluntarily adhere to prevailing cybersecurity frameworks and implement a written information security program (i.e. a “WISP”). The law is set to go into effect November 1, 2018 and will apply to businesses and non-profits alike.

In order to provide organizations with a legal incentive to achieve a “higher level of cybersecurity,” the Ohio Data Protection Act will establish a legal safe harbor from litigation resulting from a data breach. Under the Act, organizations will be able to plead an affirmative defense against any tort-based cause of action if they are able to (1) demonstrate that they have implemented and followed an internal WISP and (2) show compliance with any one of the following eight cybersecurity or legal frameworks:

1. Center for Internet Security’s (CIS) Critical Security Controls for Effective Cyber Defense;
2. Federal Information Security Modernization Act;
3. Federal Risk and Authorization Management Program’s Security Assessment Framework;
4. Gramm-Leach-Bliley Act’s Safeguards Rule;
5. Health Information Technology for Economic and Clinical Health Act;
6. HIPAA Security Rule;
7. ISO 27000 family; or
8. NIST Cybersecurity Framework

As currently written, the Act requires organizations to implement a program that “reasonably conforms” with one of the above frameworks. What reasonable conformance means within the context of creating, maintaining, and complying with a cybersecurity framework, will ultimately be a question for a future fact finder to determine. Note that organizations meeting the standards of PCI-DSS (the US prevailing credit card payment security standard) will also need to comply with one of the eight frameworks. PCI-DSS compliance alone will not qualify an organization to plead the safe harbor affirmative defense.

Ohio law falls short of establishing legal immunity

The Act by no means establishes legal immunity for organizations that adopt a cybersecurity framework. Instead, it provides a new defense for a defendant involved in a lawsuit tied to its data practices. But, a defendant that has a WISP could still be sued, and found liable for mismanaging or failing to protect data.

Adhering to a cybersecurity framework will be voluntary

Unlike Massachusetts’s well-known and decade-old data protection law, Ohio’s new safe harbor law neither establishes nor seeks to establish minimum technical or organizational controls. Rather, the safe harbor law is designed to act as an incentive to encourage businesses to voluntarily achieve a higher level of cybersecurity and organizational safeguards on their own. Indeed the statute itself makes clear that the law’s passage should not be read to impose liability upon organizations that refrain from upgrading their cybersecurity practices.

This approach differs significantly from legislation passed earlier this year. Notably, Colorado’s new cybersecurity law, which came into effect on September 1, requires organizations to implement and maintain reasonable security measures to protect personal identifying information of Colorado residents. Such security measures also include implementing a written policy for the disposal of documents, and contractually imposing all of the law’s security measures onto third-party service providers - also a Massachusetts requirement.

In contrast with Colorado and Massachusetts, Ohio’s Data Protection Act is silent on third-party service providers. In practice such issues will be addressed in the eight recommended cybersecurity frameworks above, allowing organizations the latitude to select whichever framework works best for their organizational model.

A different approach than the rest of the nation

Much like Colorado, Massachusetts and California’s recently passed Consumer Privacy Act, the Ohio Data Protection Act’s end-goal is to encourage businesses to place a premium on consumer privacy. However, the similarities end there.

The current draft of the California law establishes severe fines and a private right of against businesses who fail to adhere to the law’s requirements. By contrast, the Ohio Data Protection Act does not contain any penalties for non-compliance. 

With individual states and Congress frequently re-evaluating data protection regimes, the carrot-verses-stick approach pursued by Ohio and California respectively offer legislatures helpful guideposts when drafting future laws. Indeed, as Senator John Thune (R-S.D.) noted in response to California’s new law during a September 26, 2018 consumer privacy hearing, Congress must determine “what [it] can do to promote clear privacy expectations without hurting innovation.” As Congress and other legislatures move forward to achieve this goal, we should expect Ohio’s incentive-based approach to receive more attention in the coming months ahead.