A Buckeye Bounce? New Ohio Approach Might Just Catch On

National Cybersecurity Month 2018 has been, appropriately, an active time in cybersecurity law and regulation. Our state of California has passed a first-of-its-kind law to begin to regulate Internet of Things (IoT) devices – smart thermostats, implantable medical devices, etc. Watch this space for much more on this important development. California is often the first state out of the blocks with landmark innovations in cybersecurity and privacy regulation.

Often, but not always.

On November 2nd 2018, a groundbreaking new cybersecurity law will go into effect in Ohio of all places. Ohio’s new approach hopefully will serve as a bellwether for cybersecurity law and data breach liability legislation across the country.

Ohio Senate Bill 220, grants “safe harbor” to companies taking reasonable measures to implement a standards-based cybersecurity program. Not to be confused with the US-EU data transfer agreement of the same name that was struck down by Europe’s highest court, the Ohio “safe harbor” law provides significant protection from legal liability for companies that implement a reasonable written cybersecurity plan.

Companies implementing such a plan can avoid financial liability as a result of “tort” lawsuits brought by victims of a databreach. Important note: implementation is the key: An unimplemented plan – at least from a potential liability standpoint – is worse than no plan at all.

In legalease, a “tort,” is any wrongful act or infringement of right of another that does not arise from a contract. A significant percentage of databreach lawsuits in the United States have been based on such torts.

Under Ohio’s new law, even if there is a breach and even if victims can show monetary or other damages, a company complying with the law’s requirements can still avoid liability. But here’s the truly revolutionary part of the Ohio law It explicitly states what is “reasonable,” identifying specific, well-accepted cybersecurity protocols that, if complied with, trigger the safe harbor, including specified provisions of the:

  • National Institutes of Standards & Technology (NIST) Cybersecurity Framework;
  • Center for Internet Security (CIS) Controls; and the  International Organization for Standardization (ISO) 27000 family;
  • Health Insurance Portability and Accountability Act (HIPAA) Security Rule;
  • Gramm-Leach-Bliley Act (GLBA); and
  • Federal Information Security Modernization Act of 2014 (FISMA).

While the safe harbor protection is limited to claims under Ohio law, brought in Ohio courts, the law is a positive step towards predictability, clarity and positive incentives for organizations to protect personal data. Over the long term, this law may well provide much greater protection of personal data even as it seems to limit rights of recovery. Other states should follow suit.

– Bryan Cunningham