• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • location_onContact
  • (330) 673-9500

Ickes \ Holt LLC

Information Security. Corporate Law. Litigation

  • Home
  • Attorneys
    • James Ickes, Esq., HCISPP, GLEG
    • Joel A. Holt, Esq., CIPP/US
  • Practice Areas
    • INFORMATION SECURITY & PRIVACY
      • A Call to Action
      • Data Breach Lawsuits
    • MEDICAL CANNABIS
    • LITIGATION
    • CORPORATE LAW
    • TRANSACTIONAL LAW
  • Insights
  • Our Philosophy
  • Payment Portal
  • Search

Feb 16, 2018 Leave a Comment

Is Ohio Getting Its Cybersecurity Act Together?

Cybersecurity
Photo by Markus Spiske on Unsplash

When state senators Bob Hackett and Kevin Bacon introduced Senate Bill 220, I for one felt a sense of relief that, at last, Ohio would finally take much-needed action on the issue of cybersecurity. The bill is far from perfect, but it is finally a START of what will hopefully result in meaningful comprehensive cybersecurity legislation.

What does the bill accomplish? It incentivizes Ohio companies to adopt a risk-based framework by providing a “safe harbor”, which is an “affirmative defense”, to tort claims arising out data breaches caused by third-party malefactors.  The bill indicates that all covered entities (any Ohio business that “…accesses, maintains, communicates, or handles personal information”, or, essentially all Ohio companies), may  seek a safe harbor under the law provided the company has a “written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information that complies with the NIST cybersecurity framework or other industry cybersecurity frameworks (such as Center of Internet Security Critical Security Controls, ISO 27000).

For health care entities complying with the Health Insurance Portability and Accountability Act (HIPAA), banks and other financial institutions complying with the Gramm-Leach-Bliley Act (GLBA) and government contractors complying with the Federal Information Security Modernization Act (FISMA), the bill allows for a safe harbor for those entities who have developed their own frameworks to comply with industry regulations.

The bill requires that covered entities seeking safe harbor must have written cybersecurity programs must be designed to do the following:

(1) Protect the security and confidentiality of personal information;

(2) Protect against any anticipated threats or hazards to the security or integrity of personal information;

(3) Protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.

The bill takes into consideration that not all entities have the same security challenges.  The bill acknowledges that the cybersecurity program of covered entities may take into account the following:

(1) The size and complexity of the covered entity;

(2) The nature and scope of the activities of the covered entity;

(3) The sensitivity of the personal information to be protected;

(4) The cost and availability of tools to improve information security and reduce  vulnerabilities;

(5) The resources available to the covered entity.

Now for the rub.

For a covered entity to successfully assert the affirmative defense afforded by the bill, it must demonstrate “substantial compliance” with its chosen risk-based framework or HIPAA, GLBA or whatever regulatory rubric applies to the covered entity.  To a lawyer, the term “substantial compliance” automatically means “litigable issue.” What does “substantial” mean?  It is wholly subjective and it will take years in Ohio courts, if ever, to create a case law definition.  From a cybersecurity standpoint, we do not have years to shore up Ohio’s networks.

I guess what I’m really driving at is that Ohio needs law with more teeth in it. How about a law that simply mandates that you have a written cybersecurity program and follow a risk-based framework if you maintain sensitive personal information as part of your business?  Operators in health care, banking and any publically traded company understand such a mandate. Entities who do not obey the law will be held accountable on the basis of negligence per se in the event they sustain a breach without a risk-based framework in place. Litigation will result either way.  A clear mandate would bring more clarity to questions of liability and presumably more businesses would adopt a risk-based framework in the face of a mandate.

In the end, isn’t more about security than liability?

Categories: Cybersecurity

Reader Interactions

Leave a Comment Cancel

Primary Sidebar

Articles & News

Dec 10

Co-Parenting through Covid

Apr 09

TELEHEALTH RESTRICTIONS LIFTED

Mar 24

Guidance from HHS to First Responders Related to COVID-19

Categories

Our Reviews

Laura Snyder
Laura Snyder

5 out of 5 stars

posted 2 days ago

This law firm is the best in the business! Joel was very detailed and attentive to our needs. I wouldn't hesitate to use their services in the future 😁

Dianna Hendrickson
Dianna Hendrickson

5 out of 5 stars

posted 4 months ago

We were very happy with the service provided us. Joel was keen on details and doing things right the first time. We truly appreciated his looking out for us on what some lawyers might have passed off as an insignificant matter.

Heather Richmond
Heather Richmond

5 out of 5 stars

posted 7 months ago

I have been working with Jim Ickes at Ickes & Holt for the last three years. He has literally helped me to navigate my business legally and strategically. Even in California were I have resided I avoided going with the firms out here in Los Angeles. With Jim and his team I appreciated there midwest values and there approach to working with clients. Not only would I recommend him and his firm to everyone I work with I will continue to seek this wise counsel and the work the really do care about. I really feel he has sincerely cared about helping my business grow, Thank you Jim and Ickes and Holt!!

Read All 45 Reviews

Footer

Let’s Talk

Recent News

REGARDING PRIVACY OHIO SETS A HIGH BAR FOR MEDICAL MARIJUANA

Over the last few years, agencies such as the Federal Trade Commission have fostered a movement to encourage industry to implement the concept of privacy-by-design.  The idea behind privacy-by-design ... Read More

NFL and Players May Join Forces on Medical Marijuana

The National Football League generated $13 billion in revenue in 2016.[i]  The next closest professional sports league was Major League Baseball at $9.5 billion.  In comparison, the Premier League and ... Read More

Social Media

FacebookLinkedin

4301 Darrow Road, Suite 1100 | Stow, OH 44224
(330) 673-9500 p

© 2021 Ickes Holt | a full-service law firm