The question is, will other States and even the Federal government follow? I hope so.
The Ohio Data Protection Act, which became law in November of 2018, establishes a cybersecurity safe harbor for companies that adopt an applicable cybersecurity framework.
In simple terms, here is what this means. If a business has shown good faith in putting appropriate cybersecurity defenses and protections in place, it may not be able to be held liable for any damages should they experience a data breach. The Act does not create a standard that companies must comply with, rather it references several established cybersecurity frameworks that are compliant in the eyes of the law. These frameworks are:
- National Institute of Standards and Technology (NIST) Cybersecurity Framework
- NIST Special Publications 800-53, 800-53A, or 800-171
- Federal Risk and Authorization Management Program Security Assessment Framework
- Center for Internet Security Critical Security Controls for Effective Cyber Defense
- International Organization for Standardization / International Electrotechnical Commission’s 27000 Family – Information Security Management Systems
- Health Insurance Portability and Accountability Act of 1996 Security Rule
- Health Information Technology for Economic and Clinical Health Act
- Title 5 of the Gramm-Leach-Bliley Act of 1999
- Federal Information Security Modernization Act of 2014
- Payment Card Industry Standard combined with another listed framework
Further, this law allows business to determine which framework applies to them. Companies are allowed to consider their size, type of information that needs to be protected and other factors in making this determination.
For small business, this is good news as this may represent the first cybersecurity law that a small business can actually comply with. While large enterprises are complying with laws that impact them, this has been a challenge for small business. The scope of compliance requirements, the costs of complying and the uncertainty of whether they can properly protect themselves have kept many from even trying.
By offering a safe harbor, to protect the busines as long as it can show compliance with one of the listed frameworks, this law may actually encourage businesses of all sizes to do the right thing. This would be a great development and I’m hoping all other states follow Ohio’s lead. We will all be safer if they do.