Since the 2018 U.S. state legislative sessions began, at least 12 states have brought into force updated or entirely new cybersecurity legislation. Some were focused on breach notification, bringing to 50 the number of states with breach laws on the books. Others addressed the need for written information security programs, while yet others promulgated information security in a unique way: California, with its requirement for Internet of Things security; Vermont, with regulation of data brokers, and now Ohio is incentivizing the development of information security programs through tort protection.
As a major privacy trend, several states are introducing data protection legislation in their respective 2019 legislative sessions, and some of these bills incorporate elements of other states’ data protection statutes. This “cross politization” of data protection and the sheer number of bills currently moving through state legislatures, along with 2018’s new legislation, collectively represent a quiet revolution in data protection practice in the U.S.; in doing so, it also represents a uniquely American approach to solving a societal problem.
Looking at Ohio, early in August of 2018, then-governor John Kasich signed into law the Ohio Data Protection Act.1 The law represented a novel approach to data protection:2 it provides an “affirmative defense” to a “covered entity” against tort claims brought against that entity as a result of a breach of personal information if the entity’s cyber security program conforms to industry recognized cybersecurity frameworks or federal regulations cited in the Act.
An affirmative defense is a legal position that, if proven in court, negates a claim brought by a plaintiff and is sometimes referred to as a legal “safe harbor.” The Act applies to (1) businesses that process “personal information or restricted information in or through one or more systems, networks, or services located in or outside” of Ohio [emphasis added]; (2) Ohio state institutions of higher education; (3) non-profit organizations; and (4) financial institutions that are chartered by Ohio.
Presumably, companies domiciled outside of the state and/or those that process personal data of Ohio residents on cloud-based systems located outside of the state would still be able to benefit from the Act’s safe harbor. Ostensibly, the Act protects only Ohio residents, unlike the European Union’s (EU) General Data Protection Regulation (GDPR), which protects anyone inside the “four walls” of the EU.3
Reaching the Safe Harbor
Obtaining safe harbor status under the Act involves a 4-part process:
The entity must create, maintain, and comply with a written cybersecurity program that incorporates physical, technical, and administrative safeguards for the protection of personal information and “reasonably conforms to an industry recognized cybersecurity framework[.]” [§1342.02(A)];
The program must be able to protect (1) information security and confidentiality; (2) against anticipated threats to information security and integrity; and (3) against unauthorized access of information; [§1354.02(B)]
The program must incorporate factors such as the entity’s size and complexity, the nature and scope of the entity’s activities, the sensitivity of the information to be protected, the cost and availability of cybersecurity tools, and the entity’s resources; [§1354.02(C)] and
If the entity is regulated by the federal government or Ohio under the HIPAA Security Rule Subpart C or HITECH Act, GLBA Title V, or the Federal Information Security Modernization (FISMA) Act, and the cybersecurity program conforms to it, then the entity would obtain the benefit of the Act’s safe harbor. [§1354.03(B)(1)]. For all other entities, their respective programs must conform to one of the following frameworks: the NIST Cybersecurity Framework, NIST Special Publications 800-53, 53A, or 800-171; the Federal Risk and Authorization Management Program (FEDRAMP); the Center for Internet Security’s Critical Security Controls (CIS CSC); or members of the ISO/IEC 27000 family. [§1354.03(A)(1)]. Finally, entities that reasonably comply with Payment Card Industry Data Security Standard (PCI-DSS) and conform to the current version of one of the frameworks listed above would also obtain safe harbor status. [§1354.03(C)(1)]
There are some aspects of the Act that require resolution:
How does an entity prove that it has “reasonably complied” with or “reasonably conforms to” the requirements of the Act, especially when not all regulations or frameworks have an associated audit standard, such as NIST SP 800-53A? Covered entities may look to U.S. defense contractors, who have extensive experience with this very issue: In 2017, they were required to self-certify as compliant with the mandates of NIST SP 800-171 and were subject to penalties ranging from breach of contract litigation all the way to False Claims Act prosecutions.4 These contractors, for the most part, did successfully self-certify, and without the benefit of a published audit standard. They did so primarily through a combination of internal and external audits or assessments, leveraging their experience with Sarbanes-Oxley, SOC 25 reports, and other compliance efforts. In support of this effort, and to demonstrate compliance, all or nearly all of these organizations developed a System Security Plan (SSP) detailing how they protect data. Many likely also shared with supply chain members a plan of action and milestones (POAM), detailing which controls would be implemented over time. This collection of assessments, POAMs, SSPs, and related documents would likely serve as the entity’s proof of compliance with the Act during breach-related litigation.
For entities regulated by the federal or Ohio government, if personal information is compromised (exposed, stolen, etc.) and is not of the type protected under the applicable regulation, will the entity still have safe harbor status? If California’s approach to privacy, the California Consumer Privacy Act of 2018, is any indication, guidance on complying with the Act may be issued by the Ohio Attorney General’s office; otherwise, this issue will likely be settled during litigation.
A Model for Other Jurisdictions?
While it remains to be seen if Ohio’s approach becomes a model for other states or the federal government, what is certain is that the U.S. data protection landscape is now in a state of constant change and will likely continue to do so over the near term. Businesses and non-profits of all types should immediately review their data protection programs in light of this revolution and plan on making needed changes. With the January 1, 2020 start date of the California Consumer Privacy Act on the horizon, itself a massive change in data protection, there may be no greater incentive to do so.
1 Senate Bill 220, codified at O.R.C. §§ 1354.01-1354.05. 2 The concepts of “data protection” and “cybersecurity” are often used interchangeably. However, data protection incorporates data privacy and cybersecurity into one discipline, a practice that largely originated with the EU Data Protection Directive 95/46/EC. 3 See Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) at 13, https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_en.pdf. 4 See DoD Contractors Required to Meet Cybersecurity Requirements by Year End (Oct. 4, 2017), at https://www.cooley.com/news/insight/2017/2017-10-04-dod-contractors-required-to-meet-cybersecurity-requirements-by-year-end. 5 The AICPA, SOC 2® – SOC for Service Organizations: Trust Services Criteria, at https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report.html.