Tuesday, August 14, 2018

Ohio's new cybersecurity safe harbor for businesses means the time for cybersecurity compliance is NOW

Do you know that the average total cost of a data breach to a business is $3.86 million?

This is a 6.4% increase over the past year.

For companies doing business in Ohio, some relief is on the way.

Earlier this month, Governor Kasich signed Senate Bill 220 into law. It provides a legal "safe harbor" for businesses in exchange for compliance with one of eight recognized cybersecurity standards (including the National Institute of Standards and Technology's Cybersecurity Framework, the Security Rule of the Health Insurance Portability and Accountability Act for healthcare-industry businesses regulated by HIPAA, and the Safeguards Rule of the Gramm-Leach-Bliley Act for certain financial institutions).

A company doing business in Ohio that complies with one of these standards will have an affirmative defense to a tort claim alleging that a failure to implement reasonable information security controls resulted in a data breach.

SB 220 expressly states that it does not "create a minimum cybersecurity standard that must be achieved" or "impose liability upon businesses that do not obtain or maintain practices in compliance with the frameworks."

Indeed, the scale and scope of a compliant cybersecurity program required to trigger the legal safe harbor is based on various business-specific factors, including:

  • the size, complexity, and nature of the business and its activities
  • the level of sensitivity of the personal information it possesses
  • the cost and availability of tools to improve security and reduce vulnerabilities
  • the resources the business has at its disposal to expend on cybersecurity

The law's goal is not to shield businesses from liability, but "to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action." In and of itself, this goal is worthy of your attention.

Governor Kasich signed the bill into law on August 3, and it takes effect 90 days after it is enrolled by the Secretary of State.

If you haven't taken cybersecurity seriously, SB 220 may just be the kick the pants that Ohio businesses and those doing business in Ohio need to jump-start your compliance efforts. You have three months (give or take) to comply. What are you waiting for?

 * Photo by Henrik Hedegaard on Unsplash