By Andy Federico, Partner, Carlile Patchen & Murphy LLP
A business that holds, utilizes or maintains electronic personal information is not only legally required to protect that sensitive information, but is exposed to costly liability for any failure to do so.
Effective November 2, 2018, however, Ohio business and nonprofit entities will have an additional tool to help them mitigate some of that liability. Pursuant to a new law, businesses that access, maintain, communicate or handle electronic personal or restricted information will have an affirmative defense to a civil action resulting from a data breach if the entity is accused of failing to implement reasonable security controls to prevent the breach.
To prove the affirmative defense, the entity must either:
- Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information, that meets the design, scale and scope requirements and that reasonably conforms to an industry recognized cybersecurity framework listed in Section 1354.03 of the Revised Code; or
- Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of both personal information and restricted information that meets the design, scale and scope requirements and that reasonably conforms to an industry recognized cybersecurity framework listed in Section 1354.03 of the Revised Code.
The cybersecurity program must be designed to do all of the following with respect to the information meant to be protected:
- Protect the security and confidentiality of the information.
- Protect against any anticipated threats or hazards to the security or integrity of the information.
- Protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.
The industry recognized cybersecurity frameworks listed in Section 1354.03 of the Revised Code include:
- The Framework for Improving Critical Infrastructure Cyber Security developed by the National Institute of Standards and Technology (NIST) and certain other NIST publications.
- The Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework.
- The Center for Internet Security Critical Security Controls for Effective Cyber Defense.
- The International Organization for Standardization/International Electro-technical Commission 27000 Family-Information Security Management Systems.
- The Payment Card Industry (PCI) Data Security Standard.
For certain restricted information, other security protocols may apply, such as: the security requirements of the Health Insurance Portability and Accountability Act of 1996; Title V of the Gramm-Leach-Biley Act of 1999; the Federal Information Security Modernization Act of 2014; or the Health Information Technology for Economic and Clinical Health Act.