Every day, hackers and thieves are becoming more sophisticated, daring, and aggressive in their attempts to turn stolen data into substantial paydays. And with criminal entities regularly on the prowl for cyber weaknesses to exploit, it’s no wonder that the number of data breaches is growing at a record pace. Partially in response to this rise in cyber attacks, Ohio Attorney General Mike DeWine’s CyberOhio Initiative has introduced The Data Protection Act, signed into law by Governor John Kasich on August 3rd 2018.
Whereas most of the preceding cybersecurity legislation has sought to motivate businesses with punitive and disciplinary action, the DPA is a looking to take a new approach by giving companies a positive and confident push forward towards a more secure future.
The first law of its kind in the nation to provide an affirmative legal defense, the DPA is an absolute boon to any company involved the handling of sensitive data. Beneficial for all involved, it’s designed to inspire a proactive approach to cybersecurity to make the exchange of sensitive information safer and more comfortable for everyone.
The law incentivizes businesses to further protect themselves against cybersecurity risks by providing legal protection to those who deal with personal information in case of a breach, provided that they comply with a designated cybersecurity framework.
A safe harbor
Fairly or not, people affected by data breaches often look for a scapegoat. In many cases, they end up trying to hold the breached company liable for losses or damages they’ve incurred.
With even the smallest attack leaving a business vulnerable to serious legal consequences, this bill represents a valuable tool for those looking to limit their liability. Although it doesn’t provide immunity to your company if you comply, it does afford you a ‘safe harbor’ against tort claims that failed cybersecurity measures resulted in the data breach.
Both businesses and consumers should be set to benefit from this development as companies become more motivated to up their game and meet industry standards for cybersecurity.
How to comply
As of November 2nd 2018, your business can trigger the ‘safe harbor’ provided that you adopt a cybersecurity program designed to:
- Protect the security and confidentiality of personal information;
- Protect against any anticipated threats or hazards to the security or integrity of the personal information; and
- Protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud.
Since no two companies are alike, the law does acknowledge that the above guidelines are not meant to be a one-size-fits-all approach to cybersecurity. An effective program will have to be scaled to match:
- The size, complexity, and nature of your business and its activities;
- The level of sensitivity of the personal information your business possesses;
- The cost and availability of tools to improve your security and reduce vulnerabilities; and
- The resources your business has at its disposal to expend on cybersecurity.
Further guidance also advises businesses to ‘reasonably conform’ to one of the following industry-recognized frameworks:
- The National Institute of Standards and Technology’s (NIST) Cybersecurity Frameworks;
- NIST Special Publication 800-171, or Publications 800-53 and 800-53a;
- The Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework;
- The International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) 27000 Family – Information Security Management Systems Standards;
- Center for Internet Security’s Critical Security Controls for Effective Cyber Defense;
- The Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) for healthcare industry businesses subject to HIPAA oversight;
- The Federal Information Security Modernization Act of 2014 (P.L. 113-283); and
- The Safeguards Rule of the Gramm-Leach-Bliley Act, for certain financial institutions.
If you accept card payments, you’ll also have to comply with the Payment Card Industry’s Data Security Standards (PCI-DSS).
Although guidelines have been provided, demonstrating full compliance may prove challenging since many of the specified frameworks lack standard certification processes.
Also, since some data security laws have more flexible requirements than others, questions remain over how to demonstrate complete conformity, or which aspects to comply with to ensure the best legal defense. For this reason, when attempting to implement frameworks, it’s a wise move to consult with cybersecurity experts like CyberSheath.
Our Managed Services enables compliance with the Ohio DPA to ensure comprehensive, framework based compliance. We’ll guide you through the process from assessment through remediation, integrating your existing people, processes, and technologies with your chosen frameworks.
A win-win for your business and your customers
Not only will CyberSheath’s managed services help you to achieve full compliance and reduce your legal liability, you’ll also see a demonstrable improvement to your day-to-day operational security — a true win-win for your business and your customers.