On August 3, 2018. Gov. Kasich signed legislation giving small businesses “safe harbor” from economic harms claims related to data breaches, as long as those businesses have taken reasonable steps to give their customers a baseline for data protection.
These days, the question is not if your business will be targeted by hackers, but when.
Senate Bill 220 was the brainchild of the Ohio Attorney General’s CyberOhio Initiative, and co-sponsored by State Sen. Bob Hackett of London. Hackett recognized that many constituents struggle with this new frontier in every aspect of business. The bill provides an incentive to take “reasonable precautions” to meet industry-recommended standards, but it does not impose liability upon those businesses that do not develop cybersecurity controls. That means lawmakers won’t have to continually revisit the issue to update a minimum set of standards.
Given that hack attacks can come from anywhere, safe harbor may only be available to defend suits brought in Ohio courts, or in jurisdictions such as federal courts in actions based on Ohio law. Keep in mind that large-scale data breaches may affect individuals in multiple states, so attorneys filing suit directly traced to such a breach are not restricted to filing suits in Ohio. While ID theft is the most common concern, another growing threat is the scenario where hackers don’t steal the business data; they just block access to it with ransomware, and delete it or leave it encrypted if the business refuses to pay. Routine offline backup is one way to avoid that situation.
As a business owner, your obligation to notify victims of a data security breach is based on the nature of the information that was lost or stolen, and the likelihood that the lost or stolen data may harm your customers or employees. Safe harbor applies to economic harms only, not breach of contract claims or alleged violations of state or federal statutes related to privacy protections, such as Ohio Revised Code Section 1349.19, or the Health Insurance Portability and Accountability Act, or financial information subject to the Gramm-Leach-Bliley Act.
The new Ohio safe harbor provision doesn’t let businesses avoid those obligations. Regulated entities must continue to comply with the current version of HIPAA, GLBA, FISMA or HITECH. If those acronyms are alphabet soup to you, your business probably isn’t a highly-regulated healthcare or financial institution. Other businesses can develop a written cybersecurity protocol that conforms to an industry-recognized framework.
Development of a cybersecurity plan doesn’t make your business instantly subject to safe harbor defense. As a business owner, you have to implement that plan and train your employees to follow that plan protect against data breaches and respond when (not if) they happen. If you have questions about cybersecurity or this new law and how it impacts you, contact Breanne Parcels at firstname.lastname@example.org or call 937-223-1130 PS&E for guidance.