In June 2018, the Ohio legislature passed Senate Bill 220, known as the Ohio Data Protection Act (the “Act”). The Act takes a new approach to cybersecurity in that it creates an affirmative defense for companies that suffer a data breach if they have a written cybersecurity program in place. According to the Act, it is “intended to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.” Since the Act took effect on November 2, 2018, here are some of the key takeaways from Senate Bill 220 that could impact you this year.
Who is subject?
The affirmative defense is provided to a covered entity for tort claims following a data breach. A covered entity is any entity that accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside of Ohio.
What is required to comply?
The covered entity must create, maintain and comply with a written cybersecurity program that conforms to industry recognized cybersecurity frameworks such as CIS Critical Security Controls, FedRAMP, PCI Standards, the HIPAA Security Rule, the Safeguards Rule of the Gramm-Leach Bliley Act and others. The cybersecurity framework should be reflective of the size and complexity of the covered entity, the sensitivity of the information, and the resources and tools available to the covered entity.
How Barnes Dennig can help?
The two primary challenges in achieving compliance are determining the right cybersecurity framework and demonstrating full compliance. The Barnes Dennig Technology Team is happy to chat with you (at no cost to you) to help you better understand the requirements and what you might or might not need. Contact us here or call 513-241-8313 with any questions.