Implementing a cybersecurity framework may begin to pay off for companies doing business in Ohio. As anyone following data privacy litigation knows, litigation stemming from data breach incidents can prove to be extraordinarily burdensome and expensive. Ohio is the first state to pass a law that will limit a business’s exposure in data breach litigation if the businesses has voluntarily adopted an identified cybersecurity framework.
In terms of the particulars, Ohio recently passed S.B. 220, which provides an affirmative defense against tort claims to businesses sued by data breach plaintiffs. The law will be codified at R.C. 1354.01–1354.05 and will go into effect on Nov. 2, 2018.
The law will provide a business with a “legal safe harbor” if the business adopts and complies with a “recognized cybersecurity framework.” The act lists a number of qualifying safe harbor cybersecurity frameworks including, but not limited to:
- Certain National Institute Of Standards and Technology (NIST) frameworks
- For healthcare entities, the security requirements of HIPAA set forth in the Code of Federal Regulations 45 CFR Part 164 subpart C and HITECH as set forth in 45 CFR part 162
- For financial institutions, Title V of the Gramm-Leach-Bliley Act of 1999
- For the payment card industry, the payment card industry (PCI) data security standard
The act is clear that it does not set a minimum standard of care for cyber security, and so a business is not required to adopt one of the identified frameworks. Likewise, the act does not confer any private right of action for potential plaintiffs over a failure to implement a framework. Instead, it rewards a business for implementing and maintaining an industry-recognized cybersecurity framework by providing an affirmative defense. In this way the act promotes its purpose “to encourage businesses to achieve a higher level of cybersecurity through voluntary action.”
As with any newly enacted legislation, there are certain potential pitfalls for an unwary business. First, in order to receive safe harbor, the business must stay current with the identified framework, including implementing any updates or modifications made to the framework. Second, although it is labeled a “safe harbor,” the act provides an affirmative defense, which means that the act does not prevent or somehow block a plaintiff from filing a lawsuit. Rather, a business will have the burden of presenting facts to a court, showing that it has met all of the elements for safe harbor. Third, the act only provides an affirmative defense against “tort” claims (such as negligence, which is the most common claim in the consumer data breach class-action context), but the act does not provide an affirmative defense against contract or certain statutory claims.
Finally, the act is novel and the first of its kind among the 50 states, meaning that it may take years to determine the contours of the safe harbor in litigation. This is especially true because companies implementing and maintaining effective frameworks are less likely to suffer from a data loss event in the first instance (with the caveat that no cybersecurity framework offers a panacea for a breach event). Nevertheless, the act is a step in the right direction for incentivizing businesses to enact meaningful cybersecurity frameworks.
The act also amends Ohio’s Uniform Electronic Transactions Act (UETA) to accommodate blockchain technology. EUTA makes electronic contracts legally enforceable and places electronic technologies on a par with paper media. Specifically, the law was amended to provide that a record or contract that is secured through blockchain technology is considered to be in an electronic form and to be an electronic record, and a signature that is secured through blockchain technology is considered to be in an electronic form and to be an electronic signature. The amendment clears any question that may have existed as to the legitimacy of blockchain transactions under UETA.