Senate Bill 220 - The Data Protection Act

The  Data Protection Act encourages businesses to voluntarily put together and use strong cybersecurity policies that will protect customer data. Strong policies and definitive actions by businesses will help save customers from the expense, embarrassment, and harm caused by having their personal information stolen by cybercriminals.

The legislation was sponsored in the General Assembly by Senator Bob Hackett (R-London) and former Senator Kevin Bacln (R-Westerville). After being signed into law by former Governor John Kasich, the Data Protection Act became effective November 2, 2018. This means that businesses can receive the benefits of the Data Protection Act for any activities that occur after November 2, 2018.

How Does the Data Protection Act Work?

The purpose of the Data Protection Act is to provide an affirmative defense to a lawsuit that alleges a data breach was caused by a business’ failure to implement reasonable cybersecurity controls.

What is an affirmative defense? An affirmative defense allows a defendant to introduce evidence in a court hearing, that if found to be credible, can negate civil liability, even if the allegations are true.

A familiar example of an affirmative defense that many persons might be aware of is a statute of limitations. A statute of limitations is a rule that requires a lawsuit to be filed in a certain a certain amount of time, such as two years from the date a person is injured. If the injured party then waits for three years to file its lawsuit, the other party cannot be held liable, even if all of the allegations in the lawsuit are true.

Likewise, the Data Protection Act’s affirmative defense works in a similar fashion. If the business follows the requirements of the Data Protection Act, the business will not be found liable for certain claims in the lawsuit, even if the allegations are correct.

It is up to the business claiming the affirmative defense to prove in court that its actions met the requirements of the Data Protection Act.

What Does A Business Have to Do to Receive the Affirmative Defense?

To receive the affirmative defense, a business must implement and maintain a cybersecurity program that reasonably conforms to at least one of 11 industry-recognized cybersecurity frameworks found in the legislation. The National Institute of Standards and Technology defines a cybersecurity framework as a set of guidelines for companies to follow to be better prepared in identifying, detecting, and responding to cyber attacks. A framework also typically includes guidelines on how to prevent and recover from an attack.

The Data Protection Act is Voluntary

It is important to emphasize that the Data Protection Act is voluntary: the decision whether to comply with the statue is left with the business owner. Instead, the Data Protection Act is intended to be an incentive for businesses to achieve a higher level of cybersecurity through voluntary action. In fact, the Data Protection Act specifically says that if a business chooses to not comply with the Data Protection Act, such non-compliance cannot be used against the business in a court proceeding.

How is the Data Protection Act Scalable?

Every business has different cybersecurity needs. According to Fortune magazine, 25 of the largest companies in the world have headquarters in Ohio. However, the United States Small Business Administration indicates that over 939,000 small businesses are based in Ohio as well. Due to this significant difference, the Data Protection Act is written to be “scalable.” In other words, the requirements of the Data Protection Act depend on:

• The size and complexity of the business;
• The nature and scope of the activities the business is involved in;
• The sensitivity of personal information maintained by the business;
• The cost and availability of tools to improve information security and vulnerabilities; and
• The resources available to the business.

Which Cybersecurity Frameworks are Included in the Data Protection Act?

The Data Protection Act includes 11 different cybersecurity frameworks that can be tailored to your business needs. The frameworks include:

• National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. This voluntary, general purpose framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The framework can be used by organizations in all business sectors to improve their cybersecurity risk management and consists of 20 different security control groups.
• NIST Special Publication 800-171. This publication applies to all federal agencies and government contractors that work with U.S. government systems that hold “controlled unclassified information.” Controlled unclassified information is a broad category that covers many different types of sensitive information that do not reach the threshold of “classified information.” Examples include documents containing health data or information related to legal proceedings.
• NIST Special Publication 800-53. Initially, this framework applied to information systems used by the U.S government. However, 800-53 has now been accepted as a general purpose framework utilized by a variety of sectors, including business, government, and education.
• Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework. FedRAMP is a federal government-wide program that provides a standardized framework for cloud-based services. This framework is now utilized by all sectors using the “cloud.”
• Center for Internet Security Critical Security Controls for Effective Cyber Defense. Another voluntary, general purpose framework that has found mainstream adoption. Unlike more comprehensive frameworks such as the NIST controls, the Critical Security Controls were written to give organizations a smaller number of actionable controls that can provide immediate results. Instead of implementing a large number of controls at the outset, this framework helps business owners establish a baseline protection and then grow their cybersecurity programs at a later date.
• International Organization for Standardization/International Electrotechnical Commission (ISO) 27000 family. The ISO 27000 family of voluntary frameworks applies to all types of organizations and has found substantial use in the manufacturing sector. This framework family is based on a 6-step planning process that involves teamwork between all parts of an organization.
• The security requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as set forth in 45 CFR Part 164 Subpart C. The HIPAA framework establishes national standards for organizations that handle personal health information.
• Title V of the Gramm-Leach-Bliley Act of 1999 (GLBA), Public Law 106-102, as amended. The GLBA framework establishes security requirements for financial institutions such as banks, insurance companies, or financial/investment organizations.
• The Federal Information Security Modernization Act of 2014 (FISMA), Public Law 113-283. FISMA is federal law passed in 2002 that requires federal agencies to develop, document, and implement a cybersecurity program. NIST plays an important role in FISMA as it produces the important standards required by FISMA.
• The Health Information Technology for Economic and Clinical Health Act (HITECH) as set forth in 45 CFR part 162. The HITECH framework creates national standards concerning the implementation of electronic health records and any supporting technology.
• Payment Card Industry Data Security Standard (PCI DSS). If you a merchant of any size that accepts credit cards, you must comply with the PCI DSS framework. Please note: In order to receive the benefits of the Data Protection Act, a business using the PCI DSS framework must also show that it complies with at least one other framework specified in the statute. PCI DSS is the only framework that has this special requirement.