The Ohio Data Protection Act: Explained the Envisage Way
Remember the days when antivirus software was something you could probably get away without having on your personal computer? When being hacked was talked about but seemed rarer than it was common? The internet accelerates quickly and things are way different now—not only is it necessary to have antivirus software on your home computer, but it’s imperative to have cybersecurity program in place to protect your business, as well.
If you haven’t set up a cybersecurity program for your business yet, you probably know not-too-deep down that you should, but just haven’t had the time, or the money, or maybe every time you think about it, your kids start fighting with each other and the idea gets lost in a mess of spilt Cheerios. In fact, recently a law passed in Ohio called the Ohio Data Protection Act (or S.B. 220, as it’s known on the streets) that offers somewhat of a motivation for businesses to enroll in cybersecurity programs that meet a certain predetermined standard. The new law, which was passed August 3, 2018 and will take effect November 2, 2018, grants a defense for the business in the event that their information was breached, but had taken precautions against it. So if you can prove, “Hey, look, I was really doing everything I could to prevent this security breach,” it’s going to look way better to the Law.
The way things are now, most bigger businesses already have cybersecurity measures in place. This new law is somewhat more targeted towards smaller businesses that may have thought protecting their business’s information was a lower priority than it should be—“being hacked” is not only a possibility today, but it is something that businesses need to actively protect themselves against. Maybe you don’t think your twenty-page file on client Jim Smith’s gross foot condition is appealing for hackers to breach, but we live in an information age where people all around the world are stealing information to fuel all sorts of random (and sometimes malicious) operations. And we can’t let customers suffer because they entrusted a business with their information.
So whereas maybe a good cybersecurity plan wasn’t necessary for a small business ten or fifteen years ago, today it could actually save your business from very real threats. And smaller threats—you don’t want your business’s information to be breached by a genius 15-year-old working off his parents’ old computer. (That’s just kind of embarrassing.)
Unfortunately, unless you know what you’re doing, there’s no easy way of determining if a cybersecurity program meets the requirements—which vary on the size and nature of the business—this new law specifies. But if you’re willing to trudge through it, it offers a great advantage in the event of an information breach. I mean, look at it this way: worst case scenario, you implement a quality cybersecurity plan and the information breach never happens. If it does, this new law will minimize the fallout. It kind of sounds like it just makes sense.
So now that you’ve had that moment of panic—“I need to save my business!”—we’re here to tell you that it’s going to be all right. If you don’t enjoy legal documents as light reading, we’re going to address some basic questions you may have about this new law we just told you about. We’re not attorneys necessarily, but cybersecurity is kind of our “thing.”
Q&A about the Ohio Data Protection Act:
Am I required to create a cybersecurity program?
By no means does this law say that you are required to implement and follow a comprehensive Cybersecurity program. However, if you are a “business that accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside this state” you are seen as an entity that if suffers a breach could be held liable. Depending on your industry or the industries you serve, many businesses are legally obligated to maintain a certain level of data protection standards. And, in that case, really should have a program in place (but maybe don’t).
How does it give my business safe harbor?
Its basic intent is to help businesses that can prove they have a Cybersecurity program in place, that they maintain and use that program in a way that meets or works to meet industry data protection standards. That should they suffer a data breach and get sued for negligence (under Tort law), they have an “affirmative defense” that they did everything reasonable to protect that data.
The law lays it out this way
“The scale and scope of a covered entity's cybersecurity program under division (A)(1) or (2) of this section, as applicable, is appropriate if it is based on all of the following factors:
(1) The size and complexity of the covered entity;
(2) The nature and scope of the activities of the covered entity;
(3) The sensitivity of the information to be protected;
(4) The cost and availability of tools to improve information security and reduce vulnerabilities;
(5) The resources available to the covered entity.”
How do I know I meet these requirements?
There’s good news for the lost and Cyber-insecure – we are here to help. Contact Envisage Group for a consultation today! (Don’t worry; we won’t talk about any deep childhood trauma until at least the third meeting.)
To view the new act yourself, visit the Ohio legislature website here.