Yahoo. Equifax. LinkedIn. Target. Aside from being some of the world's largest corporate entities, these companies are just a few of the more noteworthy businesses that have fallen victim to data breach incidents in recent years. Companies large and small today now face the tough reality that it is no longer a matter of “if,” but rather “when,” a company's network will be breached.

Over the years, lawmakers have struggled with devising effective methods for enhancing the cybersecurity of private organizations without mandating one-size-fits-all requirements that undercut effective data security management. At the beginning of November, Senate Bill 220, also known as the Ohio Data Protection Act, was enacted into law in the state of Ohio—which represents the first law that accomplishes just that goal.

Importantly, the DPA now provides Ohio businesses with an affirmative defense to some forms of data breach claims where the business has in place reasonable security measures at the time of the breach. In enacting the DPA, Ohio becomes the first state in the nation to implement a law that affords a data breach safe harbor for business entities.

|

Today's Rising Risk of Data Breach Incidents

As is common knowledge today, business entities are prime targets, and victims, of computer-network penetration and data theft. In addition to hackers, business entities also face significant data breach threats originating from inside the organization as well. Importantly, data breach incidents have proliferated astronomically in recent years both in frequency and severity. More often than not, the financial consequences of a data breach are catastrophic.

Furthermore, in addition to the economic loss caused by a breach, the reputational hit that a business customarily takes in the wake of a data theft incident can also have dire consequences on the long-term viability of the organization. In particular, many businesses who maintain vital sensitive and proprietary company data may choose to steer clear of utilizing a company that has demonstrated an inability to properly safeguard client information, resulting in the exodus of current clients, as well as significant lost business opportunities from potential clients.

|

Ohio's Data Protection Act

To incentivize companies to adopt appropriate cybersecurity protections, Ohio enacted the Data Protection Act, which provides an incentive-based program to strengthen business cybersecurity practices. In particular, the DPA provides companies with a safe harbor against data breach claims sounding in tort (such as negligence) brought under the laws or in the courts of Ohio for companies that implement, maintain, and comply with one of several industry-recognized cybersecurity programs. Significantly, contained in the text of the DPA is an express provision which provides that the act does not “create a minimum cybersecurity standard that must be achieved” or “impose liability upon businesses that do not obtain or maintain practices in compliance with the act.” Instead, the DPA endeavors “to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.”

In order to qualify for the safe harbor, an entity must implement a written cybersecurity program designed to: (1) protect the security and confidentiality of personal information; (2) protect against anticipated threats or hazards to the security or integrity of personal information; and (3) protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or fraud. The act provides that the scale and scope of the company's cybersecurity program should be consummate with the following factors: (1) the company's size and complexity; (2) the nature and scope of its activities; (3) the sensitivity of the personal information maintained by the company; (4) the cost and availability of tools to improve information security; and (5) the resources available to the company.

In addition, the act also requires the entity's cybersecurity program to “reasonably conform” to one of the following cybersecurity frameworks:

  • National Institute of Standards and Technology's (NIST) Cybersecurity Framework;
  • NIST Special Publication 800-171 or Special Publications 800-53 and 800-53a;
  • Federal Risk and Authorization Management Program's (FedRAMP) Security Assessment Framework;
  • Center for Internet Security's Critical Security Controls for Effective Cyber Defense; or
  • International Organization for Standardization (ISO)/International Electrotechnical Commission's (IEC) 27000 Family – Information Security Management Systems Standards.

For businesses that accept payment cards, to qualify for the affirmative defense these organizations' cybersecurity programs must also comply with the Payment Card Industry's Data Security Standards (PCI-DSS), in addition to one of the generally applicable frameworks identified above. Similarly, companies subject to certain state or federally mandated sector-specific laws may rely on the affirmative defense if—in addition to conforming with one of the above generally applicable frameworks—they can establish that their plan conforms to any additional security requirements, such as the security requirements identified in the Health Insurance Portability and Accountability Act (HIPAA), Title V of the Gramm-Leach-Bliley Act (GLBA), the Federal Information Security Modernization Act (FISMA), or the Health Information Technology for Economic and Clinical Health Act (HITECH).

Critically, however, simply having a written security program drafted and on file will not suffice to utilize the affirmative defense in the wake of a data breach incident. Rather, companies must also have maintained and complied with their programs at the time of a breach to be entitled to the shield provided by the safe harbor. With that said, the DPA provides no further discussion or explanation as to how a company can successfully establish that it has implemented sufficient cybersecurity measures to make itself eligible for the affirmative defense. Moreover, the act also fails to provide any additional information regarding how a company can successfully establish that its cybersecurity plan “reasonably conforms” with one of the above frameworks.

|

Takeaways

The DPA represents the first law in the country to provide incentives to businesses to implement certain cybersecurity controls through the utilization of an affirmative defense to liability in the wake of a data breach. With that said, some states—such as New York—do require certain organizations to satisfy specific cybersecurity compliance standards, without affording such companies an express safe harbor as an incentive to adopt such standards.

Ohio's new cybersecurity law is a welcome opening for organizations of all shapes and sizes who seek to limit their liability in the wake of a data breach. Importantly, the act provides clear steps that business entities must take in order to qualify for the safe harbor under the act. However, qualification for this new defense to liability is not automatic. Rather, a company will bear the burden of establishing that its program satisfies all of the requirements under the law. This may prove to be quite challenging in some situations, as many of the frameworks provide mere generalizations as to what is required—without providing any specific or express requirements—and lack any standard certification process.

Moreover, the DPA will not insulate companies completely from all forms of liability in the wake of a data breach. Rather, the act only provides a shield for tort claims brought under the laws or in the courts of Ohio which allege a failure to implement reasonable data protection controls that result in a data breach. As such, the DPA is not applicable to contract-based claims or statutory violations that are alleged in a data breach action. In addition, organizations will not be able to rely on the DPA in the early stages of litigation, but instead will be required to make a substantial showing of compliance with all the requirements of the law in order to utilize the safe harbor provided by the act. As such, with the limited scope of the safe harbor and the challenges that will be faced by companies in establishing eligibility for the DPA's affirmative defense, the ultimate impact of the DPA on Ohio businesses is yet to be seen.

|

The Final Word

Today, not a week goes by without hearing about a new cataclysmic data breach event. As the number and severity of data breaches continues to climb today with no foreseeable end in sight, now more than ever companies must be proactive in implementing effective safeguards to shield sensitive company information from malicious hackers or other unauthorized access. At the same time, companies should ensure that their cybersecurity programs comport with the requirements of the Data Protection Act, as doing so will allow companies to invoke the act's safe harbor to defeat certain state law data breach tort claims alleging that the organization's data security measures resulted in a data breach incident.

Through the implementation of a robust cybersecurity risk management program, companies can effectively minimize the risk of falling victim to a catastrophic data breach, while at the same time putting themselves in the best position to assert the DPA's stringent defense to liability in the event they fall victim of a data breach incident and find themselves on the receiving end of a subsequent civil action stemming from the breach.

David J. Oberly is an associate in Blank Rome's Cincinnati office. He concentrates his practice in the areas of cybersecurity and data privacy, energy, environmental, toxic torts and mass torts, and product liability. He can be reached at [email protected].