Ohio Safe Harbor Law Provides Defense for Voluntary Cybersecurity Implementation

November 1, 2018

By Kyle A. Hutnick

Ohio’s new Data Protection Act (SB 220) goes into effect today, November 1, 2018, and provides an incentive for businesses that voluntarily make cybersecurity a priority. By providing a legal safe harbor for businesses that voluntarily adopt a written, qualifying cybersecurity program, this act provides an added defense for companies against lawsuits in the event of a breach.

What is a qualifying cybersecurity program?

To qualify, the cybersecurity program must:

  • Protect the security and confidentiality of the information;
  • Protect against anticipated threats or hazards; and
  • Protect against unauthorized access that is likely to result in identity theft or fraud.

Businesses with a cybersecurity program that reasonably conforms to certain existing industry-recognized frameworks also qualify for the safe harbor, including:

  • National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework;
  • Security requirements of the Health Insurance Portability and Accountability Act (“HIPAA”) and Health Information Technology for Economic and Clinical Health Act (“HITECH”);
  • Title V of the Gramm-Leach-Bliley Act (“GLBA”); and
  • Federal Information Security Modernization Act (“FISMA”).

The law also allows a business to tailor the scope of its cybersecurity program based on the following factors:

  • Its size and complexity;
  • The nature of its activities;
  • The sensitivity of the information to be protected;
  • The cost and availability of tools to improve cybersecurity; and
  • The business’s available resources.

How does the safe harbor protect companies?

The law does not prevent businesses from being sued altogether. Instead, it provides an affirmative defense for companies that suffer a data breach and then face a lawsuit for not implementing appropriate security protocols. The affirmative defense is available to businesses only in tort claims, like negligence. In other words, the defense is not available in breach of contract claims, like one between a business and its vendors or customers.

Notably, the law specifically contemplates transactions recorded by blockchain technology, which allows electronic records to be recorded securely using a network of computers. Blockchain is rapidly increasing in popularity, and with this new law, Ohio joins the growing number of states with laws recognizing blockchain.

The need for proactive cybersecurity planning.

The Ohio Data Protection Act is a great opportunity for businesses to make cybersecurity a priority. Building a cybersecurity program is no small task, and must be custom-built to be effective. Kohrman Jackson & Krantz has a unique understanding of businesses of all sizes, and can assist with building a well-tailored cybersecurity program.

KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. All articles published by KJK state the personal views of the authors. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.