Not a week goes by without hearing about a new data breach. It’s becoming common knowledge that companies, both small and large, are facing the tough reality that it is no longer a matter of if, but really when a company will be affected by a data breach.
Over the years, lawmakers have struggled with constructing effective methods to strengthen the cybersecurity of organizations without mandating one-size-fits-all requirements, which makes it challenging. At the beginning of November, Senate Bill 220, also known as the Ohio Data Protection Act, was enacted into law in the state of Ohio—which represents the first law that accomplishes that goal.
Business entities are prime targets…and victims, of computer-network penetration and data theft. In addition to hackers, businesses also face significant threats originating from inside the organization as well.
Data breach incidents have increased in recent years both in frequency and severity. Attacks are becoming more sophisticated – from ransomware to phishing attacks, identify and data theft and more. Often, the financial consequences of a data breach are catastrophic especially considering the cost of potential downtime for the business. In addition to the loss of time and money caused by a breach, reputation is also another factor that is affected. Businesses may choose to steer clear of utilizing a vendor or partner who has had a significant breach.
The easiest way to get in front of a breach and work to prevent one from happening is to have a strategy in place to protect your business. Now, with the help of Ohio’s new Data Protection Act, there are even legal incentives for putting those safeguard policies in place.
To incentivize companies to adopt appropriate cybersecurity protections, Ohio enacted the Data Protection Act (DPA). Specifically, the law gives companies a safe harbor against data breach claims for companies who implement, maintain, and comply with one of several industry-recognized cybersecurity programs.
The major benefit of being a compliant business is the new affirmative defense to legal claims that frequently result from cybersecurity breaches. In the event of an attack, a DPA compliant business can assert DPA compliance as a defense to any claim resulting from the breach, which could save businesses from the costs of court judgments and prolonged litigation. This way, companies can use compliance with an established, credible, written policy as a shield against cybersecurity claims in the state of Ohio.
Included in the text of the DPA, it states the act does not “create a minimum cybersecurity standard that must be achieved” or “impose liability upon businesses that do not obtain or maintain practices in compliance with the act.” Instead, the DPA endeavors “to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.”
In order to qualify for the safe harbor (Senate Bill 220), a business must implement a written cybersecurity program that:
The scale and scope of the company’s cybersecurity program should be based on these factors:
The Act also requires each cybersecurity program to “reasonably conform” to one of the following frameworks:
The DPA is the first law in the country to provide incentives to businesses to implement certain cybersecurity controls through the utilization of an affirmative defense to liability in the wake of a data breach. With that said, these laws will be a work in progress. The act does not provide any additional information yet, regarding how a company can successfully establish that its cybersecurity plan “reasonably conforms” with one of the listed frameworks. However, this cybersecurity law is a new opening for organizations of all sizes who want to limit their liability in case of a data breach, and this work is still providing great value to companies – you can’t go wrong with making the effort to be more secure in your business and establish better policies.
Implementing a robust cybersecurity management program can effectively minimize the risk of falling victim to an attack…but it can be a big job if you don’t know where to start or what to do next. Interlink’s consultants are experts in security and compliance – we have the knowledge and experience to help you devise a plan. Contact us today to see how we can help you on the path to achieving the protection the DPA promises.