Cybersecurity

Most people do not regard their cybersecurity and privacy documentation as a proactive security measure.

On the contrary, many oftentimes view documentation as a passive effort that offers little protection to a company, generally an afterthought that must be addressed to appease compliance efforts.

Where documentation may get some much-needed attention is through Ohio’s recent passing of the Ohio Data Protection Act (ODPA), legislation which supports the premise of properly scoped cybersecurity and privacy documentation being used as an offensive tool to reduce risk. This article covers the real-world, strategic advantage of what good cybersecurity and privacy documentation can offer.

The ODPA brings a novel approach to data protection laws in the United States.

Unlike earlier Oregon and Massachusetts state data protection laws that contain checklists of mandatory requirements, Ohio passed a law that (1) does not create a minimum set of cybersecurity requirements and (2) is optional for businesses to follow.

Yes, you read that correctly. The law is optional, and businesses do not have specific requirements. What Ohio did was allow businesses to be protected from a tort (civil lawsuit) within the state of Ohio that alleges an accused’s “failure to implement reasonable information security controls resulted in a data breach concerning personal information.” In order to be protected by this safe harbor, businesses must align with a leading cybersecurity framework. Ohio went as far as defining acceptable cybersecurity frameworks.

This data protection law is unique since it rests on affirmative defense that allows a defendant to introduce evidence that, if found credible, can negate civil liability, even if the allegations are true. In practical terms under this law, if a company is sued in the state of Ohio for a legitimate data breach, the lawsuit will get thrown out if the company can prove its cybersecurity program was aligned with a leading cybersecurity framework (e.g., NIST 800-171, NIST 800-53, ISO 27002, CIS CSC, etc.) at the time the incident occurred.

While it applies only to businesses subject to Ohio’s legal scope, this law may start a national trend that shifts the focus to the business on defining and implementing “what right looks like” for cybersecurity and privacy controls.