Ohio has enacted a new law called the Data Protection Act, which will go into effect on November 2, 2018. Under this new law, businesses which take reasonable cybersecurity precautions that meet certain industry standards will be afforded a “safe harbor” against claims alleging that a failure to use reasonable cybersecurity measures resulted in a data breach involving personal information. While the law does not provide total immunity from lawsuits, it does minimize the risk of litigation and damage to a business's reputation.
To qualify for this defense, the business must implement a written security policy designed to:
- Protect the security and confidentiality of personal information
- Protect against anticipated threats to the security or integrity of personal information
- Protect against unauthorized access to personal information
Additionally, the business's cybersecurity must reasonably conform to one of the following frameworks:
- NIST Cybersecurity Framework
- FedRAMP
- CIS Critical Security Controls for Effective Cyber Defense
- ISO/IEC 27000 Family - Information Security Management Systems Standard
And finally, if your business is subject to PCI, HIPAA, GLBA, FISMA, or HITECH compliance, you must continue to meet that compliance.
Shameless disclaimer: we here at CodeRed are well suited to help you build out a cybersecurity program to take advantage of this new legislation. No business is too small - even "micro" businesses or non-profits with less than 10 employees can easily put a security policy in place. Contact us or leave a comment below with questions.