New data security law offers safe harbour

05 December 2018

Special feature from Thomas J. Smedinghoff, David Szabo and Brandan Montminy at Locke Lord LLP, JLT’s Cyber Consortium Partner.

The Ohio Data Protection Act, enacted on 1 November 2018, may signal a new trend in the legal approach to corporate cyber security obligations. It may also assist businesses struggling to ensure they have implemented legally required data security.

The act introduces two very important cyber security compliance concepts:

  1. It implicitly recognises that compliance with selected industry norms and best practices provides legally compliant “reasonable security;” and
  2. For businesses following one of the approaches in the Act, it provides an affirmative defence to any tort action alleging that a business’ failure to implement reasonable information security controls caused a data breach of personal or restricted information,  as a “safe harbour”.

The act applies to any business that accesses, maintains, communicates, or processes “personal information” or “restricted information”, defined as:

  • “Personal information” – an individual’s name (first name or initial and last name), along with: (i) Social security number; (ii) Driver’s license number or state identification card number; or (iii) Account number or credit or debit card number, in combination with and linked to any required security code, access code or password that would permit access to an individual’s financial account
  • “Restricted information” – any information about an individual, other than personal information, that, alone or in combination with other information, including personal information, can be used to distinguish or trace the individual’s identity or that is linked or linkable to an individual, if the information is not encrypted, redacted or altered by any method or technology in such a manner that the information is unreadable, and the breach of which is likely to result in a material risk of identity theft or other fraud to person or property.

To assert the affirmative defence, a business must “create, maintain and comply with a written cybersecurity program” that satisfies three requirements:

  • It must “contain administrative, technical and physical safeguards for the protection of personal information [or personal information and restricted information] that reasonably conforms to an industry recognised cybersecurity framework as described in [the act].”
  • As to personal and/or restricted information, it must:

    (1) Protect the security and confidentiality of the information

    (2) Protect against any anticipated threats or hazards to the security or integrity of the information

    (3) Protect against unauthorised access to and acquisition of the information likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates, and
  • Its “scale and scope” must be appropriate based on

    (1) The business’ size and the complexity of the business;

    (2) The nature and scope of the business’ activities

    (3) The sensitivity of information to be protected

    (4) The cost and availability of tools to improve information security and reduce vulnerabilities; and

    (5) The resources available to the business.

The “industry-recognised cybersecurity frameworks” qualifying for safe harbour under the act (and to which an organisation must “reasonably conform”) are the following:

For all businesses:

  • NIST cyber security Framework
  • NIST Special Publication 800-171 (“protecting controlled unclassified information in non-federal systems and organisations”)
  • NIST Special Publications 800- 53 (“security and privacy controls for information systems and organisations”) and 800-53A (“assessing security and privacy Controls in Federal Information systems and organisations”)
  • The Federal Risk and Authorisation Management Program (FedRAMP) security assessment framework
  • Centre for internet security, critical security controls for effective cyber defence
  • International organisation for standardisation/international electro-technical commission 27000 family of information security standards – information security management systems ISO-27000 family.

For regulated businesses:

  • HIPAA security requirements
  • GLB security requirements
  • Health information technology for Economic and Clinical health act
  • PCI standard.

This approach appears to recognise that cybersecurity programs based on any of the foregoing provide “reasonable security”, thus creating a defence in the case of a breach.

This Ohio statute is the first cybersecurity law providing an express safe harbour for entities exercising “reasonable security”. However, in a precursor of sorts, a 2016 report from the California Attorney General identified a reverse safe harbour. The report noted “20 controls in the centre for internet security’s critical security controls [that] identify a minimum level of information security that all organisations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organisation’s environment constitutes a lack of reasonable security.” (Breach report 2016 from pp 27-34)

It is unclear whether either the safe harbour approach under the Ohio Act or the so-called reverse safe harbour approach promoted by the California Attorney General will gain traction. But, as businesses struggle with the issue of defining “reasonable security,” more law and regulation along these lines probably can be expected.

Download cyber decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on