Ohio will soon have a law in place that provides a “legal safe harbor” from tort claims related to a data breach, to entities that have implemented and comply with certain cybersecurity frameworks. It remains to be seen whether any entity will ever be in a position to take advantage of the affirmative defense this law offers. Below is a summary of the key provisions, followed by comments on why the safe harbor is likely the equivalent of a really small umbrella in a downpour.
The legal safe harbor comes from amendments to Ohio law from Senate Bill 220, which was signed into law by Ohio Governor John Kasich on August 3, 2018, and will take effect 90 days after it is provided to the Ohio Secretary of State.
Safe Harbor Scope – The new law provides covered entities with an affirmative defense to tort claims based on Ohio law or brought in an Ohio court alleging that a failure to implement reasonable security standards resulted in a data breach.
- The safe harbor does not apply to tort claims filed in courts outside of Ohio that are not based on Ohio law. Not all data breaches lead to lawsuits, but the ones that do, usually affect individuals in multiple states. Law firms that commonly file these lawsuits can simply choose a non-Ohio forum.
- The safe harbor does not apply to non-tort claims, such as breach of contract claims. Lawsuits filed after an entity discloses a data breach usually include a mix of tort, statutory and contract-based claims.
Eligibility – To be entitled to the affirmative defense, a covered entity must demonstrate that it created, maintained, and complied with a written cybersecurity program that:
(1) Reasonably conforms to certain industry-recognized cybersecurity frameworks. The law gives three options for choosing a framework: (1) complying with one of six different industry frameworks (the NIST CSF, NIST 800-171, NIST 800-53, FedRAMP, the CIS Critical Security Controls, or the ISO 27000-family of controls); (2) for regulated entities, complying with the current version of HIPAA, GLBA, FISMA or HITECH; or (3) complying with PCI DSS and one of the six frameworks identified in number 1.
(2) Was designed to protect the security and confidentiality of information, protect against any anticipated threats or hazards to the security or integrity of information, and protect against unauthorized access/acquisition of information that is likely to result in a material risk of identity theft or other fraud.
(3) The scale and scope of the cybersecurity program must be appropriately tailored to the covered entity’s size, complexity, available resources, nature of operations and sensitivity of information to be protected.
- A covered entity will have the burden of proof to demonstrate that it meets all three eligibility requirements. There is a big difference between writing a cybersecurity plan and actually implementing it correctly at the start, let alone demonstrating compliance with the program requirements at the time of a security incident.
- Third-party certifications do not exist for several of the frameworks. For frameworks that do have third-party certifications, there are different certification types, and the more common certification types certify only the design of the program, not compliance in operation.
- Showing that the covered entity obtained a certification from a third-party auditor of compliance with a framework/standard at some point in time may not be sufficient to meet a defendant’s burden of proof – plaintiffs will likely argue that the covered entity must show compliance in fact at the time of the data breach. It is not uncommon for a merchant to obtain a certification by a third-party assessor that the merchant was compliant with PCI DSS at the time of the assessment, only to have the forensic firm conducting an investigation of a payment card security incident prepare a report that finds that the merchant was not compliant.
The Ohio law that offers a “legal safe harbor” sounds great until you look at the limited scope of the safe harbor and the challenges that will go into proving eligibility for the affirmative defense. Certainly, if there is an ability to assert the affirmative defense, it creates another obstacle for a defendant to put in the plaintiff’s path. But there are several paths a plaintiff can choose where this safe harbor will not come into play.