Ohio Establishes Cybersecurity Program Affirmative Defense
Through Ohio Senate Bill 220 (the “Act”), the State has established an affirmative defense to a tort action brought against a covered entity because of a data breach. The Act defines “covered entity” to mean “a business that accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside this state.” (Ohio Revised Code §1354.01(B)) In order to meet the requirements for the affirmative defense, a covered entity must have a compliant written cybersecurity program that contains certain safeguards. (O.R.C. §1354.02) The cybersecurity program may protect just personal information or both personal and restricted information. If the program is only designed to protect personal information, then the affirmative defense may be used to defend against a tort action alleging that the failure to implement reasonable information security controls resulted in a data breach concerning personal information. (O.R.C §1354.02(A) and (D)). The Act sets requirements for cybersecurity programs and identifies approved cybersecurity frameworks with which covered entities must reasonably conform with:
- The Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST);
- NIST Special Publication 800-171;
- NIST Special Publications 800-53 and 800-53a;
- The Federal Risk and Authorization Management Program Security Assessment Framework;
- The Center for Internet Security Critical Security Controls for Effective Cyber Defense;
- The International Organization for Standardization/International Electrotechnical Commission 27000 Family – Information Security Management Systems. (O.R.C. §1354.03(A))
If the covered entity is regulated by the State, the federal government, or both, or is otherwise subject to the requirements of any of the laws or regulations listed below, the entity meets the cybersecurity program requirements if the program conforms to:
- The security requirements of the federal Health Insurance Portability and Accountability Act of 1996 , which governs healthcare;
- Title V of the federal Gramm-Leach-Bliley Act of 1999, which applies to financial institutions;
- The Federal Information Security Modernization Act of 2014, which generally covers federal agencies;
- The Health Information Technology for Economic and Clinical Health Act, which applies to healthcare providers. ((O.R.C. §1354.03(B))
Blockchain
Definitions for “electronic record and “electronic signature” have been amended to include blockchain technology; “a record or contract that is secured through blockchain technology is considered to be in an electronic form and to be an electronic record.” (O.R.C. §1306.01(G)) and “[a] signature that is secured through blockchain technology is considered to be in an electronic form and to be an electronic signature.” (O.R.C. §1306.01(H))
The full legislation text can be found here: https://www.legislature.ohio.gov/legislation/legislation-summary?id=GA132-SB-220
Comments are closed.