Monday, October 30, 2017

Ohio lawmakers consider safe harbor for cybersecurity compliance

If the Equifax data breach hasn’t scared your company into cybersecurity compliance, Ohio lawmakers are considering dangling you a compliance carrot.

Senate Bill 220 [pdf], introduced earlier this month, would provide business a cybersecurity ‘safe harbor’ in exchange for compliance with the NIST Cybersecurity Framework (or other similar standard).

The NIST Cybersecurity Framework, developed by the United States Department of Commerce’s National Institute of Standards and Technology, is a set of optional standards, best practices, and recommendations to improve organizational cybersecurity.

If SB 220 becomes law, a company doing business in Ohio that complies with the NIST Cybersecurity Framework (or other similar standard) will have an affirmative defense to a tort claim alleging that a failure to implement reasonable information security controls resulted in a data breach.

SB 220 expressly states that it does not “create a minimum cybersecurity standard that must be achieved” or “impose liability upon businesses that do not obtain or maintain practices in compliance with the frameworks.” 

Its only goal is “to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.” In and of itself, this goal is worthy of your attention and support.

If you aren’t taking cybersecurity seriously (and god knows you should be), SB 220 may just be the kick the pants that Ohio businesses and those doing business in Ohio need to jump-start your compliance efforts.

Tomorrow, I am presenting Creating a Corporate Culture of Cybersecurity as part of Law Day at the 2017 Information Security Summit. This week-long event is your one-stop shop for all things cybersecurity. I hope to see you there.