In August 2018, the Ohio Data Protection Act, was signed into law. The Data Protection Act provides businesses who store or transmit personal information with a safe harbor in the event they do get breached, but only if they follow a cybersecurity framework. This bill represents a significant step forward for all organizations interested in limiting their liability in the event of a data breach and offers clear steps to organizations on what they must do to qualify for safe harbor under the Act.
The Risk
Hackers are only growing more sophisticated; they find new ways every day to breach security and compromise data. The costs of a data breach are more than just the loss of customer loyalty and brand reputation; lawsuits resulting from data breaches cost organizations millions of dollars every year. Ohio’s Data Protection Act, however, limits the risk organizations face from data breach, provided they meet specific cybersecurity protocols.
Protect Your Organization Now
To meet the requirements for safe harbor, the organization must demonstrate compliance with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The NIST Cybersecurity Framework is a voluntary framework that provides organizations with standards, guidelines, and best practices to better manage cybersecurity-related risk. The Ohio Data Protection Act protects Ohio organizations who invest in achieving the cybersecurity standards laid out by NIST. Organizations already meeting the compliance requirements of HIPAA, GLBA and/or FISMA would also be protected.
According to the Act, to qualify for safe harbor, the organization must create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information or both personal information and restricted information that reasonably conforms to an industry recognized cybersecurity framework.
Take Action Now to Protect Your Organization
While the Act is clear that it does not set a minimum standard for organizations, organizations who do invest in meeting the cybersecurity requirements will be eligible to employ an affirmative defense against any tort claim arising from a data breach.
thinkCSC offers the following services required to comply with NIST guidelines, available to all private and public businesses, non-profits, and K-12 educational institutions:
- Cybersecurity Gap Analysis
- Security Awareness Program Implementation
- Security Awareness Training Program
- Incident Response Policy
- Risk Assessment
- Vulnerability Assessment
- Internal & External Combined Penetration Testing
- Policy Review & Development
thinkCSC encourages every organization to take the steps necessary to take advantage of the Ohio Data Protection Act. To learn more about how your organization can begin the process, contact thinkCSC now.