What does the Ohio Data Protection Act Mean for Your Business?

By Eric Noonan • October 8, 2018

Every day, hackers and thieves are becoming more sophisticated, daring, and aggressive in their attempts to turn stolen data into substantial paydays. And with criminal entities regularly on the prowl for cyber weaknesses to exploit, it’s no wonder that the number of data breaches is growing at a record pace. Partially in response to this rise in cyber attacks, Ohio Attorney General Mike DeWine’s CyberOhio Initiative has introduced The Data Protection Act, signed into law by Governor John Kasich on August 3rd 2018.

Whereas most of the preceding cybersecurity legislation has sought to motivate businesses with punitive and disciplinary action, the DPA is a looking to take a new approach by giving companies a positive and confident push forward towards a more secure future.

The first law of its kind in the nation to provide an affirmative legal defense, the DPA is an absolute boon to any company involved the handling of sensitive data. Beneficial for all involved, it’s designed to inspire a proactive approach to cybersecurity to make the exchange of sensitive information safer and more comfortable for everyone.

The law incentivizes businesses to further protect themselves against cybersecurity risks by providing legal protection to those who deal with personal information in case of a breach, provided that they comply with a designated cybersecurity framework.

A Safe Harbor

Fairly or not, people affected by data breaches often look for a scapegoat. In many cases, they end up trying to hold the breached company liable for losses or damages they’ve incurred.

With even the smallest attack leaving a business vulnerable to serious legal consequences, this bill represents a valuable tool for those looking to limit their liability. Although it doesn’t provide immunity to your company if you comply, it does afford you a ‘safe harbor’ against tort claims that failed cybersecurity measures resulted in the data breach.

Both businesses and consumers should be set to benefit from this development as companies become more motivated to up their game and meet industry standards for cybersecurity.

How to Comply

As of November 2nd, 2018, your business can trigger the ‘safe harbor’ provided that you adopt a cybersecurity program designed to:

  • Protect the security and confidentiality of personal information;
  • Protect against any anticipated threats or hazards to the security or integrity of the personal information; and
  • Protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud.

Since no two companies are alike, the law does acknowledge that the above guidelines are not meant to be a one-size-fits-all approach to cybersecurity. An effective program will have to be scaled to match:

  • The size, complexity, and nature of your business and its activities;
  • The level of sensitivity of the personal information your business possesses;
  • The cost and availability of tools to improve your security and reduce vulnerabilities; and
  • The resources your business has at its disposal to expand on cybersecurity.

Further guidance also advises businesses to ‘reasonably conform’ to one of the following industry-recognized frameworks:

  • The National Institute of Standards and Technology’s (NIST) Cybersecurity Frameworks;
  • NIST Special Publication 800-171, or Publications 800-53 and 800-53a;
  • The Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework;
  • The International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) 27000 Family – Information Security Management Systems Standards;
  • Center for Internet Security’s Critical Security Controls for Effective Cyber Defense;
  • The Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) for healthcare industry businesses subject to HIPAA oversight;
  • The Federal Information Security Modernization Act of 2014 (P.L. 113-283); and
  • The Safeguards Rule of the Gramm-Leach-Bliley Act, for certain financial institutions.

If you accept card payments, you’ll also have to comply with the Payment Card Industry’s Data Security Standards (PCI-DSS).

Challenges Ahead

Although guidelines have been provided, demonstrating full compliance may prove challenging since many of the specified frameworks lack standard certification processes.

Also, since some data security laws have more flexible requirements than others, questions remain over how to demonstrate complete conformity, or which aspects to comply with to ensure the best legal defense. For this reason, when attempting to implement frameworks, it’s a wise move to consult with cybersecurity experts like CyberSheath.

Our Managed Services enables compliance with the Ohio DPA to ensure comprehensive, framework based compliance. We’ll guide you through the process from assessment through remediation, integrating your existing people, processes, and technologies with your chosen frameworks.

A Win-win for Your Business and Your Customers

Not only will CyberSheath’s managed services help you to achieve full compliance and reduce your legal liability, but you’ll also see a demonstrable improvement to your day-to-day operational security — a true win-win for your business and your customers.

 

CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO