Tag Archives: cyber law

New Ohio Law Creates Legal Incentive to Create Cybersecurity Program

Implementing a robust cybersecurity program is a business investment. Recently, numerous states have proposed a return on that investment in the form of statutory incentives for organizations that maintain certain technical safeguards. Incentive-based legislation can be used to convince management that investing in a cybersecurity program will create a return in the future.

For example, last year, Ohio proposed a bill that created a legal incentive for companies to create and implement a cybersecurity program. The proposed bill has now passed and will become effective November 2, 2018 (“Ohio Data Protection Act” or “Act”).

Under the Act, a company can raise an affirmative defense to data breach tort claims (such as negligence) brought under the laws or in the courts of Ohio if the company created, maintained and complied with a written cybersecurity program. To establish the defense, a company would have to show that its security program contained administrative, technical and physical safeguards designed to protect either “personal information” or “personal information and restricted information.” Continue reading New Ohio Law Creates Legal Incentive to Create Cybersecurity Program

California Becomes First State to Pass IoT Security Law

California continues to pass tighter laws in the cybersecurity world.

California Governor Jerry Brown recently signed into law bill No. 327 which requires connected device manufacturers to include “reasonable” security features for those devices sold in California. With passage of this new law, California becomes the first state in the nation to adopt such legislation.

What the Law Requires

Beginning on January 1, 2020, the law will require a manufacturer of a connected device to equip the device with reasonable security features that are “appropriate to the nature and function of the device” and appropriate to the type of information collected by the device. It also mandates that any maker of an Internet-connected, or “smart” device ensures the device has “reasonable” security features that “protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” Continue reading California Becomes First State to Pass IoT Security Law

Cyber Liability – A Message from the Attorneys General

Written by: Randall J. Krause, Esq., CIPP/US

At ACI’s Cyber & Data Risk Insurance conference held on March 24, 2014, representatives from five (5) state attorneys general offices (AGs)* sent a message to organizations throughout the United States. They had been asked to address the following question: “What are the top 5 messages that you want to send to companies across the country?” Their responses, along with some additional explanation, are the subject of this article.

In short, the AGs’ top 5 messages are (1) everyone is vulnerable to data breaches; (2) as a “steward” of sensitive data, you must be proactive in your efforts to protect it; (3) dispose of sensitive data properly and/or don’t collect it in the first place; (4) employee training and monitoring regarding cyber and data risks are critical; and (5) encryption is a basic “reasonable measure” to safeguard sensitive data*.

CyberCrime_1120201299-resize-380x3001. Don’t be fooled – Everyone is vulnerable to data breaches

As privacy professionals often say, when it comes to whether your organization will experience a data breach, “the question is not if, but when.” According to the PandaLabs 2013 Annual Report, 20% of all malware that has ever existed was created in 2013, with 31.53% of computers around the world being infected. In early 2013, the Ponemon Institute reported that, in its survey of small businesses throughout the United States, 55% of those responding reported having had a data breach (almost all involving electronic records), and 53 % reported having had multiple breaches. Continue reading Cyber Liability – A Message from the Attorneys General