Is Ohio’s cybersecurity safe harbor your “get out of jail free” card?
I’m not going to go over the technical reasons why your organization needs a cybersecurity program. I’ve written before that organizations are cyber-targets for no other reason than being connected to the internet. All devices attached to the internet are at risk. Differentiating yourself from the big breaches (think Equifax, Anthem, OPM, etc.) doesn’t remove that risk. Likewise, avoiding collecting and maintaining credit card information, health care info or other personally identifiable information won’t remove the risk either.
To be a good cyber-citizen, you should already be steering your organization towards having a robust cybersecurity program. If there hasn’t been enough of an impetus in the past, perhaps Ohio’s new Cybersecurity Safe Harbor law will provide incentive today.
On Nov. 2, Senate Bill 220 (S.B. 220) went into effect and provides organizations with tort-related liability protection associated with cyberattacks, but only if you take adequate steps.
What does the safe harbor accomplish?
Victim organizations of cyberattacks often become targets of governmental enforcement actions and litigation from individuals and organizations that are upstream and downstream of the victim organization. S.B. 220 implements a safe harbor that enables organizations that have implemented appropriate cybersecurity programs to counter tort-based liability, and even shield you from penalties lobbied by government and other regulatory agencies. While not perfect, S.B. 220 might give enough reason to focus resources on your cybersecurity program.
Who does the safe harbor apply to?
S.B. 220 defines a “covered entity” as any type of business, including nonprofit organizations, that “accesses, maintains, communicates or processes” personal or restricted information. Personal information is defined as an individual’s name (first name or initial and last name) when combined with sensitive information like a Social Security number, state identification such as driver’s license, financial account or credit card. Restricted data is similar, but doesn’t divulge personal information. Instead, it is used to track and distinguish between different users.
Qualifying for the safe harbor
In order to be eligible for and invoke the safe harbor, an organization needs to “create, maintain and comply with a written cybersecurity program, containing administrative, technical and physical safeguards” that are designed to protect personal and restricted data. In addition, the program needs to “reasonably conform to an industry-recognized cybersecurity framework.” There are some considerations based upon the size, complexity and nature of the organization implementing the program.
To clear the path for your organization, you need to start by creating a written cybersecurity program. There are online resources as well as companies that help organizations identify an appropriate framework and set of controls applicable to the organization. Often those same resources can assist in writing, providing guidelines, templates and documents that can be used for the written cybersecurity program. While this is an essential piece, you must not stop there. In order to be able to rely upon the safe harbor, the organization must also be able to demonstrate that it is adhering to the controls in the established program. Unfortunately, this step is generally harder than writing the plan.
To take advantage of the safe harbor, Ohio organizations should look to implement these controls without delay. Seek out professional resources when it makes sense to speed the process along and to ensure you comply.
Damon Hacker is president and CEO of Vestige Digital Investigations. Vestige assists organizations in identifying, investigating, managing and protecting their most vital digital resources. It does that through a robust set of inter-related services including digital forensics and both proactive and reactive cybersecurity solutions.