Ohio Data Protection Act
With the rising rates of cybercrime and the increasing sophistication and audacity of recent attacks, cybersecurity is enjoying an elated profile in C-suites, mainstream publications, and even Washington. Traditionally, many businesses have been slow to implement comprehensive cybersecurity technologies, protocols, and best practices, citing costs and resource constraints, among other often specious excuses. Small businesses have made up a substantial portion of the laggards, with their leaders erroneously believing that their size would make them an unattractive target.
However, many of these same businesses have found themselves on the receiving end of ransomware, malware and other attacks that have cost them dearly. Cyberattacks such as those on Colonial Pipeline, JBS Foods, and Kaseya, along with the remote-work imperative of the pandemic, have many CEOs reassessing how secure their systems are, and in many cases, making appropriate investments in cybersecurity. Doing so both keeps their critical systems operational and safeguards client and consumer data. In recent years, the latter has drawn increasing attention given high profile data breaches of well-known companies like Twitter, Capital One, Equifax, eBay, and Uber.
The Regulatory Landscape
In the U.S., consumers (whether individuals or companies) still depend on businesses to follow best practices to protect their data. U.S. businesses are subject to industry-specific federal mandates, as well as a patchwork of state laws and regulations that leave significant gaps in oversight. For example, before the recent Colonial Pipeline attack, pipelines were not subject to mandatory federal cybersecurity regulations. In fact, many sectors of what is considered critical infrastructure, such as wastewater systems, do not.
Recent high-profile attacks have lawmakers from both parties developing such regulations for government agencies and operators of critical infrastructure systems. However, such efforts ultimately fall short of a national data protection and cybersecurity law common in many countries that outlines a company’s responsibilities concerning data usage, storage, transparency, confidentiality, and security standards.
One such law, adopted in the European Union in 2016, is the General Protection Data Regulation (GDPR), which covers businesses worldwide that collect data from EU citizens. GDPR not only covers how data may be collected, stored, used, and deleted. It also covers areas such as data breach reporting and hiring of key personnel, among others, and requires expensive fines from violators.
Since enactment, GDPR has shown some promising results. GDPR has also served as a model for similar data protection laws in other countries, namely the U.S. California recently enacted its California Consumer Privacy Act, which has many similarities to GDPR. And recently, our own state enacted the Ohio Data Protection Act (ODPA), which, while elevating the need for data protection and cybersecurity, takes a unique approach to the issue.
The Ohio Data Protection Act
Rather than approach data protection and cybersecurity with regulatory mandates and financial penalties for noncompliance, the ODPA is the first law in the country to provide a legal incentive for businesses to comply with best cybersecurity practices. To be in ODPA compliance, the law requires businesses to draft and implement a written cybersecurity plan that “reasonably conforms” to one of four established cybersecurity frameworks:
- National Institute of Standards and Technology’s (NIST) Cybersecurity Framework;
- Federal Risk and Authorization Management Program’s (FedRAMP) Security Assessment Framework;
- Center for Internet Security’s Critical Security Controls for Effective Cyber Defense, or
- International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) 27000 Family.
Companies that accept debit or credit card purchases must also comply with the Payment Card Industry’s Data Security Standards (PCI-DSS). Further, if the business is subject to additional state or federal industry-specific cybersecurity regulations, it must be in compliance with those as well to be considered ODPA-compliant.
Once a company is ODPA compliant, they are entitled to an affirmative legal defense in case of a breach. That is, when a data breach occurs, a business can use ODPA compliance as a defense in litigation that may arise as a result. In a tort case, the business would be required to prove that it was in complete compliance with ODPA at the time of the breach for this legal defense to be applicable. However, if they were in compliance, such a defense may be critical to saving a business thousands and even millions of dollars resulting from a judgment, as well as resulting legal fees when a breach occurs.
It must be noted that this new law may not have the intended effect of companies implementing stronger cybersecurity measures. First, ODPA is optional, and some businesses may simply choose to ignore it, especially as there are no disincentives for doing so. A business that has thus far failed to shore up its network security may still deprioritize it, leaving its operation at risk. Further, while the outlined frameworks are industry-leading standards, the law does not explicitly define a single cybersecurity standard that must be met or the criteria for reasonable conformance. Finally, the law could conceivably protect businesses with cybersecurity plans that mean its vague conformance criteria, yet are still negligent with consumer data.
Cybersecurity and Ohio’s Businesses
However, the ODPA, as written, may encourage many businesses to further strengthen their existing cybersecurity protocols, given the legal shield it provides. As more businesses make hybrid-remote and fully remote work operations permanent, they remain more vulnerable to a successful breach. Downtime and ransom costs alone may cost a company hundreds of thousands if not millions of dollars, not to mention litigation costs from clients and vendors whose data has been compromised. It’s little wonder then that 60 percent of small businesses don’t survive six months after a data breach.
Implementing one of the cybersecurity frameworks ODPA considers as standards requires most businesses to change organizational processes, potentially make hiring or other personnel-related decisions, and adopt certain security technologies and methodologies. These frameworks evolve as threats do, requiring businesses to keep up-to-date with them and update their plans accordingly. However, doing so can not only provide your company with the benefit of ODPA’s legal protection, it can help keep your business safer.
Need support ensuring that your business is ODPA compliant? EasyIT has the resources and expertise you need. Having helped safeguard businesses throughout central Ohio for more than 20 years, we have experience developing and implementing cybersecurity plans that conform to ODPA’s standards. We also have worked with companies subject to other state and federal regulations and can help you identify the processes, personnel, and technologies you need to protect your business. Contact us today, and let’s help you secure your business.