Would your company be able to mount a sound defense if your customers’ or clients’ private information was breached? With the help of a newly enacted Ohio protocol, you may have legal protection if you meet certain industry standards. These latest developments in business cybersecurity in Ohio was the focus of the recent Winter Cybersecurity Forum, where a panel addressed the proper security, insurance, legal and compliance frameworks to prevent cybercrime.

Joseph Compton, Skoda Minotti Risk Advisory Services, joined a panel of cybersecurity experts to consider the new “safe harbor” changes to Ohio’s Data Protection Act (DPA), which provides businesses with the ability to proactively prepare an “affirmative defense” by meeting certain security standards.

See related blog: Ohio Legislature Enacts Nation’s First Cybersecurity Safe Harbor Law.

Greg Tapocsi, director of CyberOhio, kicked off the forum by explaining the state’s response to the escalation of cyberattacks, from business email compromise and spear phishing to whaling and SMishing, a form of social engineering via texting or SMS message. Tapocsi explained that the state must walk the middle ground between the government being overbearing and protective. That middle ground is the new safe harbor law that incentivizes businesses to become more secure by complying with certain privacy frameworks.

Safe Harbor Frameworks

The safe harbor frameworks, which became effective, Nov. 1, 2018, are a voluntary means for businesses to proactively protect themselves and their customers from harm caused by data breaches. The requirements are scalable according to the size and complexity of the business, activities of the business, sensitivity of the personal information and the cost and availability of tools to improve cybersecurity. Whenever a revision to a framework is released, businesses have one year to make the updates to remain in compliance with the DPA.

Ohio’s DPA includes eight industry frameworks that businesses should use as a model for their cybersecurity programs. Certain industries, such as healthcare, credit card services and government, are required by federal law to comply with one of three additional frameworks: HIPAA, PCI and FISMA.

Making the Case for an Affirmative Defense

As Tapocsi explained, the changes to the DPA establish a legal safe harbor that can be used as an affirmative defense against tort measures in the event of a privacy breach. While you agree that the event took place, you can claim you are not liable because you did everything possible to prevent it by meeting one or more of the 11 industry-recognized frameworks. In other words, you affirm that you have complied with the DPA frameworks as well as any other industry-specific framework you must follow.

Still, it can be confusing to businesses to understand what they need to do. As Compton explained, Skoda Minotti has clients that need to comply with six or seven standards.

“Companies hire Skoda Minotti Risk Advisory Services to conduct their IT audit because their customers require it,” said Compton. “They will lose business if they don’t get the audit. The DPA should be looked at as a competitive advantage. It tells your customers that you value privacy”.

The panelists also discussed whether the U.S. is heading in the same direction as the EU, which last year began enforcing the General Data Protection Act (GDPR). The GDPR is designed to protect the personal data of any individual in the EU, including citizens and visitors to the EU, regardless of whether the organization processing or controlling the data resides in the EU.

While California is leading the charge for a similar right in the U.S, panelists agreed that the U.S. prides itself on innovation and is careful to protect it. Another factor is the speed at which we want to access information. As an example, Compton reminded attendees that Air Canada requires its customers to log in all their personal contact information every time they book a flight. Would most U.S. consumers put up with the same and give up convenience? Probably not.

“In my experience, companies already have the controls they need—they just need to know how to effectively turn them on,” said Compton. “We simply need to better educate ourselves.”

Panelist Lacy Rex, Cyber Strategic Leader with Oswald Companies, was quick to remind the audience that just because you outsource a function, it doesn’t mean you are outsourcing your liability. “More than 50 percent of HIPPA losses are from third parties, said Rex. “You must manage your vendor relationships as an extended arm of your company.”

Compton emphasized the need for each business to be aware of their risks. “It all comes down to the quality of the risk assessment you have done—you have to know when to bring in the experts,” he said. “What the Ohio law says is that we’re open for business. It rewards businesses in Ohio for doing things they already should be doing by making them better able to defend themselves.”

Do you have questions about the DPA security frameworks or other Risk Advisory questions? Please contact Joe Compton, CISSP, CISA, QSA, at 440-449-6800 or jcompton@skodaminotti.com.