What Does Senate Bill 220 Mean For Ohio Businesses That Invest in Data Security?
Concerned with data breaches and the ever present challenge for businesses to protect their digital assets, John Kasich signed into law on August 3rd. Senate Bill 220, known as the Data Protection Act, that aims to encourage businesses to beef up their IT security.
Senate Bill 220 creates a legal incentive for companies to voluntarily invest in better cyber security to protect customer information.
The law, introduced in the fall by Sen. Bob Hackett, R-London, and State Sen. Kevin Bacon, R-Minerva Park, provides a legal "safe harbor" for companies that take steps to incorporate safety measures.
The bill provides a legal defense for companies that suffer a data breach who are then sued for not implementing reasonable security protocols.
This kind of incentive has been pushed by Ohio legal experts, and is one of the first major initiatives of the CyberOhio initiative by Ohio Governor Mike DeWine.
But there is still no "one-size-fits-all" guide for how companies should protect customer data, since not every business has the same amount and kind of data that they are storing.
To qualify a business must meet 4 overlapping requirements:
First, it must “create, maintain and comply with a written cyber-security program that contains administrative, technical, and physical safeguards” for the protection of personal information or of both personal information and restricted information.
Second, the cyber-security program must reasonably conform to an industry recognized cyber-security framework.
Third, the program must be designed to protect: the security and confidentiality of the relevant information against threats to the security or integrity of the information. It must protect against unauthorized acquisition of information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.
Fourth, the scale and scope of the program must be based on all of the following: the entity’s size and complexity; the nature and scope of its activities; the sensitivity of the relevant information; the cost and availability of tools to protect the information; and the business’s available resources.
Now is a great time to look at your current cyber-security plans and determine how to enhance them. Determine possible risk areas in your firm and make sure there is an appropriate plan in place to help prepare. Compliance with industry standards provides immediate value to a firm in a myriad of ways, from lower total IT expenditure, insulation against risk, preservation of the firm’s reputation, improved up time, operational consistency, and more. If you haven’t taken cyber-security seriously, SB 220 may be the jump start that Ohio businesses need for compliance efforts.
In the wake of high-profile hacks of consumer information, businesses should take a risk-based approach in implementing industry-recommended standards. Cyber-criminals are highly sophisticated, and there is no typical or routine cyber-attack.
We are experts in all areas of cyber-security and can help your company develop your plan and make sure your business is able to take advantage of the protection that this bill offers. Let us know how we can help.