Implementing a robust cybersecurity program is a business investment. Recently, numerous states have proposed a return on that investment in the form of statutory incentives for organizations that maintain certain technical safeguards. Incentive-based legislation can be used to convince management that investing in a cybersecurity program will create a return in the future.
For example, last year, Ohio proposed a bill that created a legal incentive for companies to create and implement a cybersecurity program. The proposed bill has now passed and will become effective November 2, 2018 (“Ohio Data Protection Act” or “Act”).
Under the Act, a company can raise an affirmative defense to data breach tort claims (such as negligence) brought under the laws or in the courts of Ohio if the company created, maintained and complied with a written cybersecurity program. To establish the defense, a company would have to show that its security program contained administrative, technical and physical safeguards designed to protect either “personal information” or “personal information and restricted information.”
The Act intentionally lacks specific technical details so the legislature does not need to continually revisit the law as technology evolves. Rather, the Act provides that the company’s security program should be influenced by the following factors: (1) the company’s size and complexity, (2) the nature and scope of their activities, (3) the sensitivity of their information, (4) the cost and availability of tools to improve security and (5) the resources available.
To use the affirmative defense, companies must implement a written cybersecurity program that “reasonably conforms” to one of several frameworks identified in the law including:
- The NIST Cybersecurity Framework, NIST’s SP 800-171, SP 800-53, or SP 800-53a, FedRAMP, the CIS Critical Security Controls, or the ISO 27000 standards;
- HIPAA, the Gramm-Leach-Bliley Act, FISMA, or HITECH; or
- The PCI Data Security Standard (PCI DSS) combined with one of the other above standards.
Companies struggle to justify investing resources in a cybersecurity program. Incentive-based laws should be used to convince management that investing in a cybersecurity program will reap tangible benefits. Regulatory investigation safe harbors and potential litigation defenses are an excellent investment and can help the company bottom line in the event of a costly breach.