Cyber Safe Harbor

Firms that meet compliance standards and have an incident response plan (IRP) in place are a step ahead in terms of a cybersecurity attack. These not only minimize the chance of an incident but also helps firms prepare and survive a possible attack. Having such a plan in place may even lead to insurance companies offer firms lower premiums to protect their business.

Making sure your firm has topnotch cybersecurity will become even more of a priority going forward in the state of Ohio. A newly introduced bill in the Ohio Senate is looking to legally protect Ohio based businesses that meet government and industry cybersecurity standards if a data breach lawsuit occurs. This is great news for law firms and by pointing to well-known industry standards, it will be a straighforward task to comply.

The Data Protection Act

Ohio Senate Bill No. 220 (S.B. 220), known as the Data Protection Act, has been introduced to incentivize businesses to attain a “higher level of cybersecurity” by maintaining a compliant cybersecurity program. This means if a firm is sued for negligently failing to implement reasonable information security controls resulting in a data breach, the firm can then state its compliance with the cybersecurity control as an affirmative defense.

This proposed bill has the intent to encourage Ohio business to truly adopt strong cybersecurity measures to protect their firm. To qualify, a firm must operate in Ohio and implement a program that complies with the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standard and Technology (NIST). Business can choose from eight industry-recommended frameworks:

  1. NIST SP 800-171
  2. NIST SP 800-53 and 800-53(a)
  3. The Federal Risk and Authorization Management Program (FedRAMP)
  4. Center for Internet Security (CIS) Critical Security Controls
  5. The ISO 27000 Family
  6. The HIPAA Security Rule
  7. Graham-Leach-Bliley Act
  8. The Federal Information Security Modernization Act (FISMA).

The Details

S.B. 220 safe harbor applies specifically to tort claims (i.e. negligence and invasion of privacy claims) and would not provide blanket immunity to all data breach lawsuits (i.e., contract-based claims such as a business-vendor dispute). Since S.B. 220 is an affirmative defense response to a lawsuit, the firm must prove that their cybersecurity program does comply with one of the eight industry-recommended frameworks listed above. If S.B. 220 in ratified into law, firms will be enticed to establish a compliant program.

It’s important to realize that S.B. 220 “is not intended to, create a minimum cybersecurity standard that must be achieved,” and it is not to “be read to impose liability upon businesses that do not obtain or maintain.”

Establishing a program is not a one size fits all task. Understanding your firm’s needs is crucial for determining the scope. Things to keep in mind include things such as, a) size, complexity, nature of the business and its activities, b) level of sensitivity of the personal information, c) cost and availability of tools to improve security and reduce vulnerabilities, and d) resources the business has at its disposal to expend on cybersecurity.

Meeting the Standard for Safe Harbor

S.B. 220 serves as a strong reminder for firms to implement a strong cybersecurity to protect their information. Also, now is a great time to look at current cybersecurity plans and determine how to enhance them in 2018. Determine possible risk areas in your firm and make sure there is an appropriate IRP in place to help prepare.

S.B. 220 has eight ways to comply. Here we have chosen the NIST Special Publication 800-171. By following these 14 tenants, the firm would qualify for the aforementioned limited safe harbor in data breach lawsuits:

  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Personnel Security
  10. Physical Protection
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

Even if S.B. 220 dies in a quiet corner of the statehouse, voluntary compliance with these or other industry standards provides immediate value to a firm in a myriad of ways, from lower total IT expenditure, insulation against risk, preservation of the firm’s reputation, improved uptime, operational consistency, and more.

Leave a Comment