Article written by:
Doug Davidson, CISA
Director of Information Technology Services
With the passage of the Ohio Data Protection Act in 2018, the State of Ohio did something no other governmental jurisdiction has done to date, by providing businesses a carrot to build a cyber security program rather than the proverbial regulatory stick (which in some industries feels more club than stick).
The act incentivizes businesses to implement a cyber security program by providing a safe harbor to businesses that implement a program that:
- Protects the security and confidentiality of the information;
- Protects against any anticipated threats or hazards to the security or integrity of the information;
- Protects against unauthorized access to, and acquisition of, the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.
The “safe harbor” entitles businesses to an affirmative defense against any tort actions that allege failure to implement adequate information security controls, resulting in data breaches of personal information.
The Ohio State Data Protection Act is voluntary, unlike cybersecurity laws in New York, Massachusetts, or Nevada, not to mention the upcoming privacy headache with new legislation from California. It gives businesses a reason to be proactive with their cyber security program instead of introducing additional regulations required of them to follow.
It applies to any business that “accesses, maintains, communicates, or processes personal information or restricted information.”
The Act has selected industry-recognized cyber security frameworks that businesses should model their cybersecurity programs after including:
- IT National Institute of Standards and Technology (NIST) Cybersecurity Framework.
- NIST Special Publications 800-53, 800-53A, or 800-171.
- Federal Risk and Authorization Management Program (FEDRAMP).
- Center for Internet Security Critical Security Controls (CIS CSC).
- International Organization for Standardization (ISO) / International Electrotechnical Commission’s (IEC) 27000 Family.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule Subpart C.
- Health Information Technology for Economic and Clinical Health Act (HITECH).
- Title 5 of the Gramm-Leach-Bliley Act of 1999 (GLBA).
- Federal Information Security Modernization Act of 2014 (FISMA).
The Act recognizes that scope and scale of a business’ cyber security program depend on the following factors:
- Size and complexity of the business
- Nature and scope of the activities of the business
- Sensitivity of the information being protected
- Cost and availability of tools to improve information security and reduce vulnerabilities
- Resources available to the business
We see the act as positive for several reasons:
- As GBQ IT services conduct risk and security assessments, we find that firms that have adopted a framework at the management level generally are more secure than those that have not.
- We routinely see communication gaps between firm management and IT management. Business and technology speak different languages and sometimes talk past one another. A properly used framework-based approach to cyber security can improve communication between management and IT.
- It’s not just about protecting personal information. To properly implement any of the frameworks, a risk assessment needs to be completed annually. A well-scoped risk assessment will take into account other information risks you may have. The Act is not concerned with protecting your bank transactions, production systems that are connected to your network, intellectual property, or other information assets. However, the process of implementing a framework will include assessing threats to those assets as well.
GBQ IT Services has experience with all of the frameworks listed in the Act.
- We can help firms select the best framework (or in some complex cases frameworks).
- We can help firms create the written plan called for by the law in a manner that scales to your business.
- We can help firms implement the administrative, technical and physical controls called for by your written plan.
- We can help firms operationalize their selected framework. To be substantially compliant as required calls for an ongoing process, generally routines that need to be scheduled and followed.
- And, we can conduct any of the various risk and security assessments, penetration tests called for by your written security plan.