Login | October 20, 2018

Bill would create 'safe harbor' for businesses victimized by cybersecurity breach

Special to the Legal News

Published: January 3, 2018

A bill that would protect businesses that - despite their good faith efforts to guard the personal data of their clients - are hacked got a first hearing before an Ohio Senate committee in recent days.

Sponsors of Senate Bill 220, Republican Sens. Robert Hackett of London and Kevin Bacon of Columbus, characterize the legislation as a safe harbor for businesses throughout the Buckeye State that are abiding by cybersecurity best practices to protect their business interests and the sensitive, personal information of their clients.

SB 220 would provide an incentive for businesses to achieve a higher level of cybersecurity through voluntary action, and to provide an affirmative defense to a lawsuit which alleges a data breach was caused by a business' failure to implement reasonable information security controls, Hackett told fellow senators seated for the committee.

"In order to receive the benefit of the safe harbor, a business must create its own cybersecurity program," he said. "To provide guidance to businesses, SB 220 lists eight different industry-recognized cybersecurity frameworks which a business can follow when creating its own cybersecurity program."

The acceptable frameworks include multiple publications of the National Institute of Standards and Technology Cybersecurity Framework and the following:

• The Federal Risk and Authorization Management Program;

• Center for Internet Security Critical Security Controls;

• International Organization for Standardization/International Electrotechnical Commission 27000 Family Information Security Management Systems;

• The security requirements of the federal Health Insurance Portability and Accountability Act of 1996;

• Title V of the federal Gramm-Leach-Bliley Act of 1999; and

• The Federal Information Security Modernization Act of 2014.

"Businesses are only required to incorporate one of the frameworks into the business' cybersecurity program," Hackett said. "Further, businesses are free to choose whichever framework best fits their information security controls."

The bill also would create an affirmative defense to any tort action against a covered entity because of a data breach of personal information, if the entity is accused of failing to implement reasonable information security controls to prevent the breach and the entity has a cybersecurity program that meets the bill's requirements.

The personal information subject to SB 220's provisions includes an individual's Social Security number, a driver's license or state identification card number or the individual's account number or credit or debit card number in combination with any security code, access code, or password that would permit access to the individual's financial account.

Any of those elements paired with the individual's name in an unencrypted, unredacted, or unaltered fashion would be considered unprotected personal information, per the bill's provisions.

"Understandably, the cybersecurity needs for a business vary with the size of the business and the type of industry that the business engages in," the lawmaker continued. "As a result, SB 220 is 'scalable' to the needs of a particular business.

"In other words, the requirements of SB 220 would depend on the size and scope of each business.

He said the legislation prescribes five factors upon which a business' cybersecurity program can be based, such as size and complexity of the business along with the resources available to the business.

"Additionally, each of the eight industry-recognized cybersecurity frameworks mentioned in the legislation are designed to be scalable as well," Hackett added.

Additionally, the bill does not provide a private right of action that would allow a person to sue a covered entity for failing to follow the bill's cybersecurity requirements, while other provisions specify that the bill's provisions are severable and that the bill is intended to encourage improved cybersecurity through voluntary action.

"It is important to note that the legislation does not create a minimum cybersecurity standard that can be violated and consequently added to a lawsuit against a business owner," the lawmaker concluded. "In fact, the legislation specifically states that the legislation shall not be read to impose liability on businesses who do not comply with the provisions within SB 220."

SB 220 had not been scheduled a second hearing as of publication.

Copyright © 2017 The Daily Reporter - All Rights Reserved