Ohio Passes Data Protection Act, Providing Safe Harbor to Organizations that Experience a Data Breach
thinkCSC announces new services to support businesses achieving safe harbor under Ohio’s Data Protection Act
Columbus, Ohio – August 2018 – Senate Bill 220, now known as the Ohio Data Protection Act, was recently signed into law. This bill represents a significant opportunity for every organization of every size to limit liability in the case of a data breach. To meet the requirements for safe harbor, the organization must demonstrate compliance with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The NIST Cybersecurity Framework is a voluntary framework that provides organizations with standards, guidelines, and best practices to better manage cybersecurity-related risk. The Ohio Data Protection Act was enacted in order to provide protection to Ohio organizations who invest in mitigating cybersecurity risks. Organizations already meeting the compliance requirements of HIPAA, GLBA and/or FISMA would also be protected.
The legislation has had strong support from Ohio Attorney General Mike DeWine as part of his CyberOhio initiative. Upon the passing of the bill, he released the following statement:
“I congratulate Senator Hackett and Senator Bacon for working with their Senate and House colleagues to pass this important bill and send it to the governor’s desk and commend the governor for signing it into law. By encouraging Ohio business owners to take appropriate and proven steps to enhance their cybersecurity, Ohioans can be confident that their personal information will be better protected. Companies have even more incentive to invest in strong cyber security controls.”
The Ohio Data Protection Act states that if an organization implements and maintains a cybersecurity program that complies with one of the established cybersecurity frameworks (NIST, HIPAA, GLBA, etc.), then that organization “is entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information.”
According to the Act, to qualify for safe harbor, the organization must:
(1) Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework; or
(2) Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of both personal information and restricted information and that reasonably conforms to an industry recognized cybersecurity framework.
Tom Hastings, President of Columbus-based thinkCSC, commented, “Complying with these cybersecurity protocols not only provides organizations with safe harbor and limits their liability should a breach occur, but it also gives them the ability to reassure their own customers and clients that they take their responsibility seriously when it comes to protecting data.”
thinkCSC is one of the few Ohio IT managed service providers assisting organizations in achieving this level of compliance to achieve safe harbor.
In order to facilitate the effort for organizations to meet the minimum standards set forth in the Act, thinkCSC has announced the following services, required to comply with NIST guidelines, available to all private and public businesses, non-profits, and K-12 educational institutions:
- Cybersecurity Gap Analysis
- Security Awareness Program Implementation
- Security Awareness Training Program
- Incident Response Policy
- Risk Assessment
- Vulnerability Assessment
- Internal & External Combined Penetration Testing
- Policy Review & Development
thinkCSC encourages every organization to take the steps necessary to take advantage of Ohio’s Data Protection Act. To learn more about how your organization can begin the process, contact thinkCSC now.
For central Ohio’s business, government, and education communities, thinkCSC is an IT services firm that invests in client success. thinkCSC is large enough to meet all your IT needs, yet small enough to walk with you in your journey. For over 25 years the people at thinkCSC have been a part of this success by virtue of our expertise and extensive portfolio of professional, managed, and cloud services.