Ohio Senate Bill 220 is now law.
Companies like Target, Facebook, Marriott, Sony, and Yahoo have two specific things in common: All are Fortune 500 companies with huge IT security divisions and security budgets and all have been hacked within the last 4 years. Not only were 3.7 BILLION usernames and passwords compromised, but social security numbers, credit card info, and even client health records and histories were stolen. Aside from Fortune 500 companies, numerous state and federal government agencies have been attacked as well! In regards to your business information being stolen, it’s no longer a question of IF, but a question of WHEN.
While some of these companies have been fined ($139 million against Target for example) and some have offered their clients a free year of identity protection as a way to apologize (Sony), the punishment is a mere drop in the bucket for these large corporations. But for the 900,000 registered businesses in Ohio, a fine or act of contrition like that may be more than enough to completely close the business. Many of these businesses don’t have the IT budget like bigger companies do, and most likely do not have the knowledge to implement cybersecurity practices by themselves. If that’s the case, what is a business to do? This is where Ohio is leading the way by offering a helping hand to those businesses: The Data Protection Act of 2018 (Ohio Senate Bill 220).
NFIB member Allen Perk serves on Governor Mike DeWine’s CyberOhio Advisory Board.
In short, The Data Protection Act states that so long as a business conforms to one or more established cybersecurity standards (NIST 800-171 for example) which are comprised of both technical and non-technical guidelines, they will gain a legal ‘Affirmative Defense’ in the event that they are breached and are served with a lawsuit. However, this does not give a business a ‘Safe Harbor’ or a ‘Pass’ when it comes to defending themselves against a lawsuit. This isn’t a ‘get out of jail free’ card, but an arguable defense to be used in the business’ behalf against litigation regarding the theft of sensitive information.
All too often, we have seen that Fortune 500 companies and government agencies can not prevent the exposure of sensitive information. Even identity protection services such as LifeLock state that they cannot prevent identity theft. With that being said, the Ohio legislature has seen fit to help businesses attain a higher level of cybersecurity resulting in an ‘Affirmative Defense’ for the business. If you believe that your business can use a higher level of cybersecurity, seek out experts to assist you in achieving the security requirements that you and your customers deserve.