Under a new law recently proposed in Ohio, businesses that take steps to secure data could be protected from lawsuits if a hack occurs. The bill, Senate Bill 220, was the first bill to emerge from the Ohio attorney general’s office’s and its cyber-security task force of business leaders, information technology experts, and law enforcement created in the wake of high-profile hacks of consumer information. The bill is an effort to help businesses with cyber related claims, encourage them to be proactive and recognize the difficulty in creating standards for constantly evolving technologies. It’s a valid effort to balance law and technology.
According to Ohio Attorney General Mike DeWine, a member of the task force, “Those business that take reasonable precautions and meet these important standards will be afforded a safe harbor against claims should a data breach occur…To trigger the safe harbor provision, businesses must create their own cyber-security programs that meet certain standards.”
The bill contains no specific standards. It only provides that businesses have one year to come up with their own programs using one of the eight industry specific frameworks developed by NIST along with several other federal and international entities.
Once implemented, businesses would then have an affirmative defense to any cause of action sound in tort that alleges that the business failed to adopt reasonable security controls that caused a breach.
Businesses then have yet another year to implement the plan. Once implemented, businesses would then have an affirmative defense to any cause of action sound in tort that alleges that the business failed to adopt reasonable security controls that caused a breach. But it would still be up to the Court to determine if a business met their burden to show compliance with the NIST standards or the other standards referenced in the bill.
The bill further requires in Section 1354.02 that any designed plan shall protect the security and confidentially of personal information, shall protect against any anticipated threats or hazards to the security of personal information, and shall protect against unauthorized access that creates risk. The bill would allow consideration of the size and complexity of the business, the nature of scope of the business, the sensitivity of the personal information involved, the cost and availability of the tools necessary to protect the information and the resources available to the business.
The bill specifically states it is not intended to create any sort of minimum standard or impose liability on those companies that don’t comply. The bill relies on higher authorities like NIST presumably with more expertise to create and evolve the standards to prove the protections. Indeed, the bills sponsors specifically did not want to create standards that Ohio would have to be revisit. “Minimum standards don’t evolve, frankly, very well…,” said Kirk Herath, vice president and chief privacy officer of Columbus-based Nationwide Financial Services and a member of Mr. DeWine’s CyberOhio Initiative panel.
Certainly, this is a step toward encouraging companies to be more proactive in this space. But businesses should also realize that the bill trades a defense showing that the company took reasonable steps to avoid a security breach (the negligence standard) for showing that the company complied with certain standards. And while its not clear, ultimately that showing would likely need to be made in front of a jury.
Its also not clear whether a business must show that it met the Section 1354.02 standards in addition to showing compliance with one of the designated standards. If so, the bill really comes closer to defining what the negligence standard is in Ohio in the data breach arena rather than creating a clear defense based on a mere showing of compliance with the standards referenced. But having a clear standard to point to is a plus for businesses defending against claims. And the fact that the bill makes clear that the standards aren’t minimums helps businesses as well.
Having a clear standard to point to is a plus for businesses defending against claims.
Businesses should also remember that compliance does not necessarily protect them against claims in other states. In today’s digital world, few businesses can claim that their cyber operations are limited to one state. That of protection must come from the U.S. Congress to have nationwide significance.
All in all, though, the bill is a step forward for businesses and is a valid attempt to bridge the gap between law and technology. It remains to be seen though how it will fare in the Legislature itself.
Photo Credit: <a href=https://howtostartablogonline.net/>photo by Richard Goodwin</a>