Understanding “Data Breach Safe Harbor” law

Last year, Ohio’s General Assembly passed SB220, referred to as the Ohio Data Protection Act. This legislation takes an interesting approach to cybersecurity regulation. Instead of mandating that a specific set of security controls be implemented, this data breach safe harbor legislation offers an incentive for voluntary compliance with one of several industry-accepted standards.

In short, if your business has a documented formal security program that follows one of these standards, and if a lawsuit is brought against you for a breach of personal data, the data breach safe harbor law allows you to claim an affirmative defense.

A closer look at the data breach safe harbor law

If, like us, you’re not attorneys or legal scholars, some of that might have left you scratching your head. Our good friends at Dinsmore (they’re great lawyers) wrote up a great article on the subject. For the laymen among us, here’s what we think the data breach safe harbor legislation means:

1. Acme Company has a security program based on the NIST Cybersecurity Framework. They’ve documented and can demonstrate their compliance to each of the approximately 100 requirements of this framework.
2. Acme suffers a data breach – despite their strong defenses, an attacker is able to access and steal their customer database.
3. Acme customers whose data is stolen participate in a lawsuit against Acme, claiming negligence on Acme’s part that contributed to the loss of data.
4. Under the Data Protection Act, Acme can demonstrate compliance to the NIST CSF as a defense in the suit, and if they are successful, cannot be held completely liable.

Sounds pretty groovy, eh?

Law highlights industry-accepted standards

The idea of the data breach safe harbor legislation is to incentivize businesses to develop a security program, adopt a formal security standard as its base, and to actually follow it. The standards mentioned by name in the law’s language are the good ones, too:

• NIST CSF
• NIST SP 800-53
• SP 800-171
• ISO27k
• FEDRAMP
• CIS Top 20

And if you’re required to be compliant to PCI-DSS, the HIPAA Security rules, FISMA, HITECH, or GLBA, those  count as well!

Effect of the law uncertain, but customers are intrigued

This is pretty appealing. Many companies have all been targeted in lawsuits by the victims of their data breaches and have had to pay millions of dollars as a result.

Here’s the thing. This data breach safe harbor legislation is new and hasn’t been tested. We don’t know who decides how much compliance is sufficient to actually warrant an “affirmative defense,” or how much impact it will have on the final decisions in these kinds of cases. What we do know is that our customers are intrigued and have been asking for help in determining where the gaps are in their security program, and how to address them.

CBTS helps you navigate the always-shifting security landscape

CBTS has been advising customers on building strong security programs since 2005. We’re well versed in the standards included as a part of this this data breach safe harbor legislation – we talk to customers about them every day. There’s never been a better time to invest in developing this practice in your business – contact us today!

NOTE: We are engineers, not lawyers. This blog post does not constitute legal advice and should not be used as such. If you require legal advice, you should consult a qualified lawyer in your jurisdiction.