The Ohio Data Protection Act differs from others in the country in that it offers the “carrot” without threat of the “stick.” Although companies are rewarded for implementing a cyber-security program that meets any of a variety of security standards, having a non-compliant program carries no penalty under this act.
The theory is that Ohio companies will be more willing to put resources into their information security programs proactively if a tangible return on their investment is available; like investing in insurance to hedge risk. Alternatively, if there is no threat of penalty for non-compliance, why wouldn’t a business simply adopt a wait and see attitude? After all, most companies do not have big data breaches, and developing and documenting a compliant information security program is expensive.
But there are some things about this act that businesses should be aware of. First, it should be kept in mind that this Safe Harbor only applies to Tort lawsuits that allege “failure to implement reasonable information security controls resulting in a data breach concerning personal information or restricted information,” and that are brought under Ohio law or in Ohio courts. Applicable businesses, or “covered entities,” are defined as any business that “accesses, maintains, communicates, or processes personal information or restricted information.” The new thing here is adding “restricted information” to accompany “personal information” (which carries the standard meaning provided in the Ohio Revised Code).
Restricted information is defined as any unencrypted information about an individual that can be “used to distinguish or trace the individual’s identity.” This clearly increases the depth of information needing protection. Also notice the use of “unencrypted” in this definition. An obvious and laudable incentive for businesses to ensure that all of their covered information is stored and transmitted in encrypted form.
To be eligible for this Safe Harbor, a covered entity must create, maintain and comply with a written cybersecurity program that “reasonably conforms” to any of a number of recognized cybersecurity frameworks to include:
- NIST Cybersecurity Framework or Special Publications 800-53, 800-53A or 800-71.
- CIS-CSC or,
- ISO/IEC 27000 series.
This is all well and good. But an immediate area of concern for me arises in the use of the term “reasonably conforms.” What “reasonably conforms” is supposed to mean exactly is not defined anywhere in the act. Also, I didn’t see any mechanism in the act for assessing or regulating compliance. So, when your company is in court facing the jury, who is to say if your information security program “reasonably conforms” with a given framework?
To me, this means that businesses that are actually interested in being protected under this act need to be able to be able to demonstrate reasonable compliance. To do this, the business should first insure that their information security program is fully documented, and that the program includes all of the security controls in a given framework that are applicable to them. Ideally, every business function that the business undertakes should be fully documented in written policy, procedure and guidelines.
Next, the business needs to be able to demonstrate that their program is not just a paper tiger, and that they actually have controls properly implemented and managed. This means testing the program with such mechanisms as vulnerability assessments, compliance assessments and enterprise-level risk assessments. Performing and maintaining such assessments will help ensure your ability to demonstrate that your program “reasonably conforms” with guidance.