In December 2017 we discussed the possibility of a new bill, Ohio Senate Bill 220 (S.B. 220), that the Ohio Senate was discussing.

Less than a year later, S.B. 220 has officially been signed into law.

Have You Met Bill?

S.B. 220, known as the Data Protection Act, was drafted to incentivize businesses to attain a “higher level of cybersecurity” by maintaining a compliant cybersecurity program. This means if a firm is sued for negligently failing to implement reasonable information security controls resulting in a data breach, the firm can then state its compliance with the cybersecurity control as an affirmative defense.

The legal “safe harbor” is provided to firms that operate in Ohio and implement a program that complies with the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standard and Technology (NIST). Business can choose from eight industry-recommended frameworks:

  1. NIST SP 800-171
  2. NIST SP 800-53 and 800-53(a)
  3. The Federal Risk and Authorization Management Program (FedRAMP)
  4. Center for Internet Security (CIS) Critical Security Controls
  5. The ISO 27000 Family
  6. The HIPAA Security Rule
  7. Graham-Leach-Bliley Act
  8. The Federal Information Security Modernization Act (FISMA)

Protect This Firm

The average cost of a data breach to a business comes in at $3.68 MILLION in 2018. Since 2017 that number has increased by 6.4%. This shows that data breaches are becoming more prevalent and costing firms more every as time goes on. S.B. 220 can now officially provide some relief to firms in Ohio.

S.B. 220 safe harbor applies specifically to tort claims (i.e., negligence and invasion of privacy claims) and would not provide blanket immunity to all data breach lawsuits (i.e., contract-based claims such as a business-vendor dispute).

Since S.B. 220 is an affirmative defense response to a lawsuit, the firm must prove that their cybersecurity program does comply with one of the eight industry-recommended frameworks listed above. If S.B. 220 in ratified into law, firms will be enticed to establish a compliant program.

It’s important to realize that S.B. 220 “is not intended to, create a minimum cybersecurity standard that must be achieved,” and in addition, it is not to “be read to impose liability upon businesses that do not obtain or maintain.”

However, establishing a program is not a one size fits all task. Understanding your firm’s needs is crucial for determining the scope. Things to keep in mind include items such as:

  1. Size, complexity, nature of the business and its activities
  2. Level of sensitivity of the personal information
  3. Cost and availability of tools to improve security and reduce vulnerabilities
  4. Resources the company has at its disposal to expand on cybersecurity.

What Are You Waiting On?

S.B. 220 serves as a potent reminder for firms to implement robust cybersecurity to protect their information. Also, now is a great time to look at current cybersecurity plans and determine how to enhance them. Determine possible risk areas in your firm and make sure there is an appropriate IRP in place to help prepare. Compliance with industry standards provides immediate value to a firm in a myriad of ways, from lower total IT expenditure, insulation against risk, preservation of the firm’s reputation, improved uptime, operational consistency, and more.

Governor Kasich signed the bill into law on August 3. Then, it will take 90 days to go into effect after the Secretary of State enrolls it.

If you haven’t taken cybersecurity seriously, SB 220 may be the jump start that Ohio firms need for compliance efforts. With less than three months to go, what are you waiting on?