A new Ohio law, the Data Protection Act, incentivizes businesses and not-for-profit organizations that proactively put into place cybersecurity programs to safeguard electronic information containing identifiable information of consumers that could be used for identity theft or fraud if it were disclosed in a security breach. The law which takes effect on November 2, 2018, will provide organizations a safe harbor from consumer lawsuits if they can demonstrate that a cybersecurity program was in place when the security breach occurred. The new legislation does not expand Ohio’s requirements for breach notification or expressly create a right to sue when an individual’s information is disclosed through a security breach.
The Data Protection Act creates a safe harbor for any commercial or non-profit organization that maintains unencrypted electronic information that can be used to identify an individual and the breach of which is likely to result in a material risk of identity theft or fraud. In order to meet the requirements for the safe harbor, the organization must demonstrate that it has created, maintained and complied with a written industry recognized cybersecurity framework or program that contains administrative, technical and physical safeguards for the protection of identifiable consumer information.
The law defines an organization as having a program using an industry-recognized cybersecurity framework as the NIST Cybersecurity Framework, NIST SP-800-171, NIST 800-53, the FedRAMP Security Assessment Framework, or ISO-27001 family of information security management systems. Organizations are required to keep their cybersecurity programs up to date with their chosen framework within a year after revisions are adopted to that framework.
The legislation also permits organizations subject to federal or state data security requirements like the HIPAA Security Rule to demonstrate that it has a cybersecurity program if it meets the security requirements of the appropriate regulatory standards. However, a health care organization subject to the HIPAA Security Rule would bear the burden of proving its compliance with the Security Rule in any action brought for damages as a result of a security breach of person’s identifiable information that results in identity theft or fraud.
CynergisTek offers comprehensive information security risk assessments of your cybersecurity program using the NIST Cybersecurity Framework as well as other industry recognized frameworks. Contact us for more information.