When state senators Bob Hackett and Kevin Bacon introduced Senate Bill 220, I for one felt a sense of relief that, at last, Ohio would finally take much-needed action on the issue of cybersecurity. The bill is far from perfect, but it is finally a START of what will hopefully result in meaningful comprehensive cybersecurity legislation.
What does the bill accomplish? It incentivizes Ohio companies to adopt a risk-based framework by providing a “safe harbor”, which is an “affirmative defense”, to tort claims arising out data breaches caused by third-party malefactors. The bill indicates that all covered entities (any Ohio business that “…accesses, maintains, communicates, or handles personal information”, or, essentially all Ohio companies), may seek a safe harbor under the law provided the company has a “written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information that complies with the NIST cybersecurity framework or other industry cybersecurity frameworks (such as Center of Internet Security Critical Security Controls, ISO 27000).
For health care entities complying with the Health Insurance Portability and Accountability Act (HIPAA), banks and other financial institutions complying with the Gramm-Leach-Bliley Act (GLBA) and government contractors complying with the Federal Information Security Modernization Act (FISMA), the bill allows for a safe harbor for those entities who have developed their own frameworks to comply with industry regulations.
The bill requires that covered entities seeking safe harbor must have written cybersecurity programs must be designed to do the following:
(1) Protect the security and confidentiality of personal information;
(2) Protect against any anticipated threats or hazards to the security or integrity of personal information;
(3) Protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.
The bill takes into consideration that not all entities have the same security challenges. The bill acknowledges that the cybersecurity program of covered entities may take into account the following:
(1) The size and complexity of the covered entity;
(2) The nature and scope of the activities of the covered entity;
(3) The sensitivity of the personal information to be protected;
(4) The cost and availability of tools to improve information security and reduce vulnerabilities;
(5) The resources available to the covered entity.
Now for the rub.
For a covered entity to successfully assert the affirmative defense afforded by the bill, it must demonstrate “substantial compliance” with its chosen risk-based framework or HIPAA, GLBA or whatever regulatory rubric applies to the covered entity. To a lawyer, the term “substantial compliance” automatically means “litigable issue.” What does “substantial” mean? It is wholly subjective and it will take years in Ohio courts, if ever, to create a case law definition. From a cybersecurity standpoint, we do not have years to shore up Ohio’s networks.
I guess what I’m really driving at is that Ohio needs law with more teeth in it. How about a law that simply mandates that you have a written cybersecurity program and follow a risk-based framework if you maintain sensitive personal information as part of your business? Operators in health care, banking and any publically traded company understand such a mandate. Entities who do not obey the law will be held accountable on the basis of negligence per se in the event they sustain a breach without a risk-based framework in place. Litigation will result either way. A clear mandate would bring more clarity to questions of liability and presumably more businesses would adopt a risk-based framework in the face of a mandate.
In the end, isn’t more about security than liability?