The Ohio Data Protection Act (Senate Bill 220), a CyberOhio initiative, provides an affirmative defense against data breach tort claims brought under Ohio Law or in Ohio Courts to organizations that have implemented and maintained a cybersecurity program that conforms to one of several specific framework(s).
During this webinar Greg Tapocsi, Associate of Counsel, Dinsmore & Shohl and former Director of CyberOhio, Timothy M. Opsitnick, Executive Vice President and General Counsel, TCDI, and Brian Ray, Professor of Law and Director of the Center for Cybersecurity and Privacy Protection, Cleveland-Marshall College of Law, will discuss:
- The significance of creating an incentive for organizations to voluntarily improve and maintain a robust cybersecurity program.
- Which cybersecurity frameworks are eligible for the Data Protection Act;
- Additional requirements organizations must adhere to in order to be granted an affirmative defense; and
- What protections are provided by an affirmative defense from a legal perspective.
See what the attendees had to say:
For more information, please contact Katie Niemi at 216.664.1100 or firstname.lastname@example.org.
Greg Tapocsi is Associate of Counsel at Dinsmore & Shohl LLP, former Director of Governor DeWine’s CyberOhio initiative. Launched in September 2016 while Governor DeWine was Ohio’s Attorney General, the goal of CyberOhio is to create a technical, legal, and collaborative cybersecurity environment to help Ohio’s businesses thrive. Now a part of the Department of Administrative Service’s Office of Information Technology, CyberOhio continues to help businesses in this State fight back against data security threats. Through CyberOhio, Tapocsi performed cybersecurity outreach throughout Ohio, legal analysis of laws and their application to the current cyber landscape, assists in workforce development for the cybersecurity field, and participates in introducing legislation to improve the legal cybersecurity environment.
Prior to his work with CyberOhio, Greg served as assistant county prosecutor performing adult felony trial work in both Seneca and Delaware counties. Greg also worked as enforcement attorney for the State Medical Board of Ohio where he prosecuted licensees for violations of Ohio’s Medical Practice Act. Greg is a proud graduate of the University of Tennessee and Ohio Northern University Pettit College of Law.
Timothy M. Opsitnick is Executive Vice President and General Counsel of Technology Concepts & Design, Inc. (“TCDI”). Tim is at the forefront of practitioners addressing issues involved in the security and discovery of electronically stored information. He has conducted numerous continuing legal education seminars regarding electronic discovery, cybersecurity, and other technology issues. In addition, he has served as a court appointed Special Master and as an expert witness. His clients include United States and international law firms and companies.
Tim was with the law firm of Jones Day from 1986 until 2000, where he was a member of the Litigation and Product Liability sections. His practice concentrated on the management of complex, multi district litigation. Tim founded JURINNOV Ltd. (“JURINNOV”) in 2000. JURINNOV was acquired by TCDI in 2016, expanding their services to include data privacy, cybersecurity, and computer forensics.
Professor Brian Ray has extensive experience in information governance, cybersecurity and data privacy. He co-founded and directs the Center for Cybersecurity and Privacy Protection and edits the Center-sponsored SSRN Cybersecurity, Data Privacy and eDiscovery eJournal.
Brian’s research focuses on security and privacy regulation, national and international jurisdiction over data, and data governance, collection and use policies at the municipal, county and state levels. In 2016 Ohio Attorney General Mike DeWine appointed Brian to the CyberOhio Advisory Board. He was selected to participate in the Yale University Cyber Leaders Forum in 2017, and SC Magazine named him one of three Outstanding Cybersecurity Educator in the 2017 Reboot Leadership Awards.
Introduction to the Ohio Data Protection Act Webinar (0:00)
Hello everyone, and welcome to the Ohio Data Protection Act: Rewarding Proactive Cybersecurity Strategies Webinar. We are excited to have Greg Tapocsi, Associate of Counsel at Dinsmore & Shohl and former director of CyberOhio, Tim Opsitnick, Executive Vice President and General Counsel at TCDI, and Brian Ray, Professor of Law and Director of the Center for Cybersecurity and Privacy Protection at Cleveland-Marshall College of Law joining us today.
I have just a few housekeeping items before we get started. First, a recorded version of this webinar will be made available after the presentation. Please keep an eye on your email for a link to access it. During registration some of you submitted questions that you would like the panelists to address, and those questions will be discussed at the end of the presentation. Other questions will also be addressed at that time. So, without further ado, I’m going to go ahead and hand the presentation over to Greg.
What is the CyberOhio initiative? (1:00)
Good afternoon everyone. As Katie mentioned there my name is Greg Taposci, and I’ve had the great pleasure of being the Director of the CyberOhio initiative during the times the Data Protection Act was both being drafted, and then as it worked its way through the General Assembly. So I want to start, I guess a little bit, just to talk about the initiative itself, kind of give everybody some background about CyberOhio.
The initiative started in September of 2016 by then Attorney General Mike DeWine. One of the things that Attorney General, then Attorney General, but now Governor DeWine is known for is going across the state and trying to find new ways to protect Ohio’s families. And when he was, a couple of years ago, he was starting to hear about small businesses, how they were being attacked by cyber criminals. Really we didn’t have that much kind of data or information about small business cybersecurity at that point. So to help get in front of the problem he created CyberOhio, and the goal of the initiative is to create a technical, legal, and collaborative cybersecurity environment to help Ohio’s businesses thrive, and there are a few different components of CyberOhio.
First of all, CyberOhio is an advisory board of approximately 25 business leaders and industry experts from across the state. It’s their job to advise the initiative and also give feedback to CyberOhio employees going forward. So it has representatives from large organizations, it has representatives from leading educational institutions, such as Brian Ray in Cleveland State, as well as industry experts that I mentioned too, including Tim Opsitnick in TCDI. So the board meets quarterly, but as needed they’ll provide any kind of assistance that CyberOhio employees ask for as well.
What role does CyberOhio Play in Ohio? (2:40)
From the advisory board there’s a couple other different, I’d say, components that the board guides. First of all, the board guides outreach. It’s how can in CyberOhio let businesses know across the state that they’re a target for cyber criminals but also give them tools going forward. So whether it’s written articles, whether it’s newsletters, whether it’s presentations or webinars such as this that are given across the state. Again, try to help businesses improve their cybersecurity.
CyberOhio also engages in workforce development. The purpose of that is that there are over 350,000 open cybersecurity jobs here in the United States right now. So how can we do – or what can we do – to try to alleviate that problem, whether it’s hiring interns at the Attorney General’s office or it is having events for high schoolers and middle schoolers to get them more interested in the field as well.
And then finally, the last part of CyberOhio, and what you’re seeing on your screen right now, is what kind of legislation could the initiative introduce to improve the legislative cybersecurity environment? Initially that started at the Attorney General’s office, as I mentioned, but now CyberOhio is actually part of the executive branch. It is under the umbrella of the Department of Administrative Services. So CyberOhio certainly looks forward to being able to improve upon things that they’ve done so far but also continue their momentum that’s been generated over the past couple years.
Improving Ohio’s legislative cybersecurity environment (4:05)
But going that back to that point, just as far as the legislative cyber environment. You know our advisory board, they really kind of started from square one on this, and it started with an evaluation of what are other states doing, or what are, kind of, what’s the general mindset in the legislative space for cybersecurity?
You know on one hand, we have persons who say that, you know what, cybersecurity, as the government, you shouldn’t be involved in this. This isn’t something that you should be involved in, because anything that the government does is going to be slow, it’s going to be unwieldy, and essentially, it’s not going to fall in line with best practices.
On the other side of things you’ve got those folks who say, well you know, it is, the government needs to be involved in cybersecurity. Look at all of these data breaches we’ve had over the past few years, and they’re just getting worse. So businesses can do it themselves but will need some sort of guidance from the government in this space.
So knowing those kinds of two different outlooks, our board kind of thought, well what can we do, you know, that’s something in the middle. If regulation isn’t working, and the idea of investigating and fining businesses just really isn’t improving cybersecurity, what can we do to encourage businesses become more cyber secure? So really, that idea is well look, let’s do something to incentivize businesses to improve their cybersecurity and reduce their cybersecurity risk. It is one of those kinds of things that with businesses, as I said, you know regulations it’s not working so far, so as a government what we should do to incentivize is identify best practices and give businesses a benefit going forward. So what is that benefit?
Affirmative Defense: Providing a benefit to Ohio businesses (5:43)
The idea is that it’s an affirmative defense. The benefit the Data Protection Act gives businesses is an affirmative defense to a cause of action or a lawsuit, a tort lawsuit in particular, that is related to a data breach. And really that’s kind of a lot of legalese, so for all those persons who are listening in at this point, I kind of want to break that down by using an example at this point.
Let’s say that a business has a security incident and actually led to a data breach. That some customers information was taken by cyber criminals. Ultimately what’s going to happen is that there’s most likely there’s going to be a lawsuit, and it’s going to be filed by those customers whose information was lost by the business. So those customers are the plaintiffs on one side of the lawsuit, while the businesses are the defendant. In their lawsuit the plaintiffs are going to file a complaint, and that complaint lists all the different reasons why the plaintiff should be able to recover.
One of those reasons why is called a tort action, and a tort action is simply a cause of action that courts have put together over the past hundreds of years, and over the past decades, that courts have put together themselves. So an example that folks might know about is negligence. You know that someone owes you a duty, they breached that duty, and as a result of the damage, as a result of that breach, the person suffered damages. So tort actions have been the most successful way that plaintiffs, those customers, have been able to recover, and then obviously that hurts businesses going forward too.
So with that complaint then, the defendants have the opportunity to answer. So the business has the ability to answer, and there’s a couple different ways that the business can do that. First of all, they can admit the allegations, say you know what, that’s, what happened there is absolutely our fault, and we’re going to admit that we did wrong. On the other hand, if the business can then deny the allegation, say you know, we didn’t do anything wrong in this case. We shouldn’t be held liable. And finally, another thing that the business can do in their answer is assert an affirmative defense.
Affirmative defense is simply the defendant saying, plaintiff, no matter what you say in your complaint, we’ll take that all that information is true, all of the allegations, we’re still not held liable. And that’s what happens in this case, is the Data Protection Act says plaintiffs, no matter what happens in this case, we’re not going be held liable, because we did everything we could to improve our cybersecurity, our policies and procedures, and our actions in this case as well. So again, it is a, I would say, a first of its kind in the United States, this first type of benefit that to offer businesses that no other states have kind of went this route. Again, they’ve just kind of gone, other states have just kind of gone, the investigate and prosecute routes instead.
So what does the business have to do to obtain this affirmative defense? They have to implement a cybersecurity program that reasonably conforms to the specified frameworks that are found in the statute, and both Tim and Brian are going to talk a little more detail about the frameworks and just kind of the parameters of the Data Protection Act.
Making the Ohio Data Protection Act voluntary (8:51)
But a couple things that I would like to note, just before we discuss even further too, is that with the Data Protection Act, it is voluntary. Your business is not required to follow the parameters of the Data Protection Act. You know there’s already enough legislation in the space. There’s already enough regulations. So if a business does not want to follow the Data Protection Act, it can’t be held against them, and that’s what this next point is as well too is that the statute specifically says it does not create a minimum standard.
So if we go back to that data breach lawsuit example that I just talked about, the plaintiffs can’t say we should recover, because the defendant business failed to comply with the Data Protection Act. It’s not allowed. As I said, the legislation specifically prohibits that. It is not a minimum standard or it is not a private right of action. And what we mean by a private right of action there, is that some statutes might say that if there’s a violation, plaintiffs you automatically have the right to kind of include that in your lawsuit. Again, the Data Protection Act has specific language that says the plaintiff, there is no private right of action as a result of this statute.
What data is covered by the Ohio Data Protection Act? (10:00)
Then moving along, another kind of parameter, kind of basic, just about the Data Protection Act is what kind of data is covered, or in other words, what does the lawsuit have to be about, or what does the cyber criminal have to, kind of gain access to and remove from your business.
There’s two different types of data or information that the Data Protection Act covers. The first kind is personal information. So that’s kind of that very sensitive information that we’re all kind of used to, whether it’s your name plus your social security number or your driver’s license number or some sort of financial account information. And that’s kind of how the Data Protection Act started, is that well, we just limited kind of the benefit for the Data Protection Act, only limited kind of those lawsuits that involve personal information. But actually, we had feedback during the course of the legislative process. We had multiple businesses kind of reach out to us and say hey, we have information, it’s very valuable to us, it’s very valuable to our customers, but it’s not a social security number or credit card number. What can we do to kind of get the benefit of this legislation too?
So working with our advisory board, we actually added a second type of information, this idea of restricted information. So it’s any kind of information other than that super sensitive personal information I just mentioned that can be used to identify a person and in which is likely to result in a material risk of identity fraud or identity theft there.
So an example might be, say if you have a connected car, and you’ve got all of your information about not only where you drive, but what type of music you listen to or the phone calls you’ve made, that might fall under restricted information. And for some reason if that is breached, and you say the auto manufacturer is subject to a lawsuit, if they did what they’re supposed to as far as protecting that restricted information, they would have the ability to argue that they fall under the Data Protection Act’s affirmative defense. So with that then, I will turn it over to Tim to talk in a little more detail just about these cybersecurity frameworks that I mentioned.
What cybersecurity frameworks qualify under the Ohio Data Protection Act? (12:03)
Okay, so as Greg mentioned I’m going to talk about the cybersecurity frameworks and also a little bit about an evidentiary proof. You know, how are you going to show that you follow the frameworks.
All right, so a covered entity, in order to seek that affirmative defense, must have a cybersecurity program that reasonably conforms to the current version of a number of industry recognized cybersecurity frameworks. Reasonable conformity is the touchstone, and again, there’s a lot of legalese associated with reasonably conforms, but you know, we have on the screen here a listing of the frameworks that are identified in the Ohio Data Protection Act.
So the question always comes up, which framework should I choose? You know, what framework is applicable to my organization? And a lot of it has to do with what industry you’re in or what the particular data that you’ve collected and that you’re keeping, you know for others.
So the first is to note that there are two general-purpose frameworks. The NIST Security Control Framework and then the Center for Internet Security Controls, and those are both general-purpose frameworks where most organizations that don’t fall under the other frameworks find themselves.
We have industry specific frameworks. NIST 800-171, which is DFARS, you know those companies who are doing business with defense agencies. We have 800-53 which is the federal agency standard. These are the standards that federal agencies must follow. We have FedRAMP, which is the Federal Risk and Authorization Management Security Assessment framework. And then ISO 27000, and ISO 27000 is a global standard. And these are just some of the industry frameworks.
And so in addition to the frameworks in Division A, under Division B of the statute we have existing regulatory schemes. And that is if you’re someone who, because of particular state or federal statute, must fall under a particular scheme, for example HIPAA and HITECH, which are healthcare related, or Gramm-Leach-Bliley, which is financial related, these are particulars that you can follow if you have the particular data.
Now Division C is PCI, and what PCI is, for credit card information. Just complying with, or showing reasonable conformity, with PCI isn’t enough. It has to be PCI plus one of the other Division A or Division B standards. For example, if you are collecting credit card information, this is something you’re already obligating yourself to do as a result of your contractual arrangements with those organizations.
Cybersecurity Maturity: Where you are today vs. where you should be tomorrow (15:06)
So a little bit about cybersecurity maturity, because look, everybody has to do things a little differently for their organization, because you know, every organization is distinct. And a little bit later in the presentation, Brian is going to talk about proportionality factors as they apply to the organization, and he’s going to go into a little detail about that. But what I want people to understand is that, you know, what’s right for one organization may well not be right for another, and those are sort of the factors that you have to consider as you go through these cybersecurity frameworks. And one of the best practices is to sit down with a company and say, okay, you know where on this maturity framework would you like to be, or where are you currently, where do you currently think that you are?
Certainly we have to be at least practicing, but it’s not necessary to be optimizing or leading. I always use the example if I’m out there making chewing gum, and that’s my only intellectual property, I certainly don’t have to be a leader in the standards for protecting data privacy. But if I’m a defense contractor, I certainly do. And you know, and similarly, so what’s important is to get everybody on the same page on cybersecurity maturity when you’re going through and evaluating where you want to be with respect to these frameworks. So where are we today, and where are we going to be tomorrow?
Providing evidentiary proof of substantial compliance (16:41)
Okay, a little bit about the cybersecurity, the evidentiary proof of substantial compliance. You know what’s important is, to make this successful in my view, and I’ve thought a lot about this, you really have to have some documentation which is created concurrent with the process, and that you’re going through for this compliance. It’s, if you’re waiting to establish compliance at the point at which you assert the affirmative defense, and you’re trying to assemble the documentation to show that you comply, it’s my view that that’s probably too late. It’s something that you need to do at a point in time while you’re putting together your security requirements.
Again, perfection’s not the standard. We’ve talked a little bit about every organization is different. What’s right for one organization to be leading, another organization may well be satisfied with practicing, and again, later Brian will talk about some issues with proportionality that lead to this issue as well.
It has to be defensible. Whatever you put in place has to have the hallmarks of proof that you’re establishing that you are reasonably conformed. So third-party attestation is one of the easier ways to do this. Now I don’t necessarily mean certification here. I just mean that best practices suggest that a third-party performed this sort of assessment somewhere during the process, and it typically has to be documented.
It has to be in writing and substantially show, and you’ve got to have metrics established with it. So it needs to be measurable, and you also have to be able to show that you have improvement over time. So where we are on day one, and we see these sort of exceptions that are in place that there are likely to be things that we are going to be working on over the next year or two, and so that we can show improvements in performance along the way, which is an essential part of this.
So with that, I will pass it over to Brian.
Additional general requirements with the Ohio Data Protection Act (19:03)
Good afternoon everyone. I’m going to round out our explanation of the Act’s requirements, and as Tim mentioned, including what we call the proportionality factors, which gets at how different sized organizations can respond differently in line with their resources, as well as the kind of data they hold.
Before we get to that though, this last piece is a set of general requirements that are within the Act. These were included because of concerns that some of the frameworks could be viewed, or could be applied, in a kind of check-the-box manner where you just go down the line, and especially some of the more specific ones, you sort of line up a set of controls without thinking comprehensively about your cybersecurity program.
Now in most instances, conforming to one of the listed frameworks is actually going to take care of these three additional general requirements, and in fact, most of the frameworks actually incorporate some version of them. So for example, all the regulatory frameworks, including HIPAA Security Rule, actually have these exact requirements within them, so in most instances you don’t have to worry too much about these general requirements. You’ll mainly be focused on trying to implement one of the frameworks, and as Tim mentioned, that process generally boils down into doing a cybersecurity risk assessment that takes into account where you are as an organization, what your risks are, and where you want to go.
And so, as both Tim and Greg talked about, the idea was we wanted a framework that was flexible enough that different sized organizations, and in fact, in particular smaller and mid-size organizations, would be able to take advantage of it, improve their cybersecurity, and still be able to be rewarded if, in fact, they end up in a situation where there’s an incident, and they get sued.
Okay, so the three general requirements are protect the security and confidentiality of personal information, protect against anticipated threats, and then protect against unauthorized access. Again, in most instances these are going to be taken care of by virtue of conforming to one of the listed frameworks.
Determining the scope of your cybersecurity program under the Ohio Data Protection Act (21:07)
Okay, the last piece of the legislation, and it’s termed a requirement, but in fact it’s an opportunity built in, an element that creates some flexibility. And what it requires is that the scope of your program, both how you conform to one of these frameworks, how you engage in that risk assessment, how you meet the general requirements, and what you decide to do, is based on these set of considerations: size and complexity of your business, your activities, the sensitivity of the information that you hold, the cost and availability of tools that you might use, and your resources.
So if you look down that list, they’re not in any particular order in the sense that any one has more priority over the other. They’re a kind of inclusive set of considerations that, as Tim framed it, are intended to create proportionality, by which we mean, intended to allow businesses that are relatively smaller, that have relatively less sensitive data, and relatively less data overall, to calibrate their program in ways that make sense for their organization that isn’t going to make them go broke. So the idea was, you shouldn’t, we want to incentivize better security, but cybersecurity is not what you’re doing as a business, and it shouldn’t get in the way of your being able to operate profitably.
Now on the flip side, the size and activities and sensitivity will cut the other way. If, as Tim said, you’re a defense contractor, well you’ve chosen to be in that business. You have lots of obligations to take extra steps to make sure every aspect of your organization is secure, including your data. Likewise, if you’re in the health sector, even if you’re a relatively small business, well you already have the regulatory burden under HIPAA, so you’re going to have to meet that to be able to take advantage of the defense.
But if you’re a retail, small mom-and-pop retail operation, if you’re a small services business, and you only hold data like social security numbers or maybe the occasional credit card number, as long as you’re taking care of those aspects, and you’re doing it in a proactive way that you can demonstrate maps to one of these standards, then you’ll be in good shape, and you should be able to take advantage of the defense provided by the Act.
The Ohio Data Protection Act’s protection limitations (23:20)
Okay, so there are a few other limitations that we want to cover. First, the Act’s protections are limited to two scenarios. It’s limited to any case brought under any law in Ohio courts. So Ohio courts are mandated to apply it regardless of whether the substantive law at issue is Ohio or another state. But also, we’ve created what’s essentially a choice of law rule that says, hey other states where you’re entertaining data breach claims under tort that fall under Ohio law, that you determine Ohio law applies, well this protection ought to apply. And so there, that’s an attempt to expand it somewhat so that even if you’re not an Ohio Court, if Ohio law is the output of law, then you’ll be able to take advantage of it.
And this has led to, at least some organizations, beginning to explore the possibility of incorporating choice of law, as well as choice of jurisdiction provisions, into some contract so that they’ll be able to expand, or at least attempt to expand, the scope of the protection outside of Ohio.
Asserting an affirmative defense in practice under the Ohio Data Protection Act (24:24)
Okay, a couple of quick points when we’re thinking ahead, into what happens when you try to assert this defense in practice. Now, a big caveat here, a lot of this, you know, remains to be seen, and it’ll be really interesting to see the first case, or several cases, where courts begin to grapple with how to apply this defense.
And as Greg mentioned, it’s an affirmative defense to begin with, and so what that means under both Ohio and Federal Rules of Civil Procedure is that you as a defendant, bear the burden of first pleading it. You’ve got to assert it in your original answer or in an amended pleading. And that also means that you’re going to bear the burden of producing evidence on this. And so you’ll have to, as Tim mentioned, be ready to have a record that shows both that you conformed to one of these cybersecurity frameworks and that you were taking the general steps required by the Act to qualify for the defense.
And so as Tim mentioned already, that means you really should be thinking proactively about it. Now that’s what you should be doing for cybersecurity anyways, and it’s not that much more of an effort to incorporate some thoughtful record-keeping, some creation of what some people call artifacts, within your regular process of developing a robust cybersecurity program. And just documenting these in ways that will allow and enable you to provide them as evidence when, and if, you end up in a lawsuit, and you want to assert this defense.
As Tim mentioned, the evidence that you’re going to provide will be in the form of both the cybersecurity assessments that you do and the remedial actions that you take. And on both sides of that equation you’re going to want to think ahead and be thoughtful about how you’re going to document, one, how you’ve set your risk profile, what your risk appetite is within the cybersecurity risk assessment, and why you’ve decided to prioritize certain steps over others. Because again, as Tim and Greg mentioned, perfection is not the standard here. You simply have to demonstrate that you’re conforming to these frameworks, all of which allow for you to work towards, and in fact require, continual improvement of your cybersecurity posture. But again, you want to be able to document that, because you’re going to have to present the argument that my choice is reasonable, and that’s effectively the standard under the under the Act.
Third-party attestations and applying litigation practice (26:49)
Going back to a point that Tim raised around third-party attestations or certifications. Some of the general frameworks have recognized external certification processes, and there are professionals who are trained and can be, and you can hire to certify you. That no question would be helpful, but as Tim mentioned, it’s absolutely not required. However, you will want to have some kind of, or it would be best and easiest to demonstrate conformity, if you do have some kind of, an independent assessment that says yes, the choices you made make sense. The steps you’re taking make sense.
Finally, in terms of actual litigation practice, it is almost impossible for you to succeed on a motion to dismiss. For those of you familiar with that, that’s in essence saying hey, I plead the fact that I’m entitled to this defense because X. You’re just not going to be able to resolve any dispute or any particular claim at that point. The earliest that you’ll be able to do it is at the summary judgment phase after each side has been able to put on evidence.
Now at that phase, depending on what you’ve been able to do, how well you’ve been able to document what you’ve done, and the extent to which the plaintiff side has sued you, has presented evidence to demonstrate that in fact you haven’t been reasonable, or you’ve missed some aspect of one of these frameworks, you might be able to win on summary judgment. But if the plaintiffs are doing a reasonable job, it typically will be challenging.
And so ultimately when you’re thinking about this as a tool within litigation and as a defense, it provides some real benefits, but the benefits ultimately are in positioning yourself for a potential settlement. Because at the end of the day, if both sides are doing their jobs, you’re probably going to end up having this resolved by the trier fact, after a full trial on the merits, or at most possibly warrants to one side or the other, has put on their evidence. It’s going to be very difficult to get it resolved at the pre-trial stage.
But nonetheless, by both preparing yourself substantively to demonstrate conformity and take advantage of this affirmative defense, you’ll be better prepared both to assert the defense and to win on the merits. And it should provide a fair bit of leverage to be able to say to a plaintiff whose suing you look, you know I’m not the right target. I really was doing my job. Let’s find a way to resolve this before we get to trial.
What is not covered by an affirmative defense according to the Ohio Data Protection Act (29:16)
Okay, a few other general limitations. As Greg mentioned, the Act’s defense is limited to tort actions, so obviously criminal actions are not covered. Breach of contract claims are not covered as well. We considered trying to wrap into this some of the contract based claims that have been asserted in class actions, including loss of expected value in some of these more creative theories. The problem was if we try to wrap in the contract claims, then we would end up potentially impinging on contract rights that businesses to set up routinely around indemnification. And so there was no clean way to carve those out and get at the consequence that show up in class actions.
And there are obviously regulatory actions. There’s no way for a state law to limit what federal regulators can do. Although, as we mapped out the idea was, if you’re going, if you’re subject to one of these regulatory frameworks, you also ought to, in most cases, be able to take advantage of the defense. But also when it comes to state-based claims, both data breach notification and general unfairness claims under the relevant Ohio statute, we decided we didn’t want to absolve people from conduct that would qualify kinds of regulatory action or those because that’s a much, much higher bar.
It’s really basically saying, hey, if you’re doing a reasonable job, if you’re being proactive in taking some very specific steps, but not unreasonable steps, to have a good cybersecurity program, then you shouldn’t be subject to tort liability, because you’re doing more than what’s actually reasonable under a tort standard.
The Ohio Data Protection Act is in effect (30:52)
Okay, so the act is fully in effect. It came into effect last November. As I said before, we have yet to see a case where the defense has been asserted, but it’s certainly gotten a fair bit of attention both from within Ohio and outside of it.
Q&A: How likely do you think the Attorney General of other states are going to support the Ohio Data Protection Act? (31:07)
All right so we’ve got a few questions that were sent to us prior to the webinar in anticipation of it. We’ll go through those, and then we’re going to do the poll and then take questions.
I’ll go ahead and take the first one there, and other panelists, please jump in as well too. The first question as you see there, essentially, so I guess the first part is “Do you think that Attorney General in other states are going to support this type of legislation,” and generally I would say the answer to that would be yes.
In particular the conference of Western Attorneys General, so all of those Attorneys General on the other sides of Mississippi River actually evaluated, kind of, the cybersecurity space and what kind of laws are in this space at this point, including the Data Protection Act. And they put together a white paper, or kind of a research paper, just about all those different laws, and as far as the most preferred, or essentially their best idea, they thought the Data Protection Act was the best idea, and that other states should essentially follow Ohio’s suit. So that’s certainly a good thing.
I had calls from other Attorneys General on the eastern side of the Mississippi as well too when I was director of CyberOhio. They’re also looking at the kind of affirmative defense concept as well. I do think as far as on the other side, that the state of New York, interestingly they have introduced legislation. It’s kind of, I would say, it’s an affirmative defense based model, but it’s a little bit different in that New York says that the legislation is voluntary. However, it’s voluntary in the sense that if you don’t comply with the rules and regulations, that New York can investigate you and then prosecute your business there. So I don’t know how voluntary that really is. The legislation itself has not advanced in the New York General Assembly I’ll say, but it kind of a little bit different idea in that it’s not purely voluntary, in that again, if you don’t, if you don’t follow it, you’re going to be investigated.
Q&A: What protections might the Ohio Data Protection Act provide Ohio businesses in other jurisdictions? (33:02)
The second part of the first question there is “what protections might the Data Protection Act provide to businesses in those other jurisdictions?” And that kind of goes to Brian’s point earlier there, as far as choice of law clauses. It’s that if you are an organization that has enough of a presence, you’re based in Ohio, but you’ve got presence in other states there, the idea is that you can use the Data Protection Act in your contracts. Whether it’s with your suppliers or with your customers, anything like that, other businesses, that you can use that, and then use the Data Protection Act in those contracts. And then if there’s some sort of dispute, you’ll have this benefit if a cybersecurity incident occurs. So I said I’d answer the first question there.
Q&A: Do you expect other states or Congress to pass laws similar to the Ohio Data Protection Act? (33:47)
So I’ll start on this one. The other states aspect is covered by what Greg mentioned, and so there’s definitely been some interest. And it remains to be seen whether and how the model gets adopted. Congress, there actually was in the FTC’s recent effort to hold hearings, and then some hearings that have been held by both the House and the Senate at the federal level. I spoke to one of the attorneys who’s been involved in that, and they did look specifically at Ohio’s model, because the idea of a safe harbor, or you know, an affirmative protection, a carrot rather on a stick is very appealing, not surprisingly.
They ultimately decided, or it’s not done yet, but it wasn’t included in any of the specific proposals that have been forwarded so far, primarily because at the federal level we’re not really dealing, we’re not dealing with tort based claims primarily, we’re dealing with regulations. And so the regulatory frameworks are already fairly well developed, and it’s really, the questions are really circling around, are we going to have some more general data privacy law that likely the FTC would be in charge of, and how would that interact with state laws like Ohio’s? And so they’re really looking more at how to frame that authority as opposed to creating something like Ohio’s got.
I’ll jump in on that too. I think it’s interesting to see just as far as with Congress too is that there’s really not a consensus within the industry as well. You know, the idea is to have some sort of all-encompassing or security or kind of privacy regulation across the United States. You know even the big players in the industry can’t get on the same page. If you look at Google, you know data is very important to Google. They don’t want essentially having, in their mind, heavy-handed regulations, but then if you look at Apple, whose business model is based more on devices as opposed to data, they’re okay with the kind of heavy-handed regulations to improve cybersecurity or privacy, again, just because it doesn’t affect them as much.
So I think that it’ll be interesting to see as far as at the federal level just trying to get a consensus from all the different players and persons that are involved in this industry too.
Q&A: Does CyberOhio provide checklists, recommended best practices, and frameworks to help comply with the Ohio Data Protection Act? (36:03)
So does CyberOhio provide checklists, recommended best practices, and frameworks to help? And the answer is yes, CyberOhio, especially for small and medium-sized businesses, is a great resource. You do have on their website materials to help them, and members of CyberOhio are willing to come out to organizations and to speak, as Greg is now doing here, to other groups to spread the word and to encourage best practices.
A couple of other resources that you can go to on the website, certainly NIST. NIST has some small business pamphlets and other things that are helpful on their website, and the Federal Trade Commission has a very well-developed website which gives tips and best practices for small and medium-sized businesses to follow. So those are great resources.
Q&A: For a small business, what is the easiest of the frameworks to follow? (37:01)
You know, one note on frameworks. One of the things that we tried to avoid when putting this law together is that we didn’t want to create some very expensive framework that people had to follow in order to achieve substantial compliance, which is why we use frameworks that were out there, readily available, and most organizations were already following one or the other and would not necessarily cost them a great deal of money other than what they were already spending to comply.
I often get asked the question, for a small business, what is the easiest of the frameworks to follow, and you know, of course you have to do that in consideration with, as Brian said and I said earlier, it is often depends on the type of data you have.
But if you’re an organization that doesn’t necessarily have particular types of data that fall under a privacy scheme, I would say that the Center for Internet Security Critical Security Controls is probably the easier of the frameworks to follow, and the reason for that is it tends to be more prescriptive. By then I mean it tends to be more list oriented. Check the boxes, do these things, these things need to be done, which is a lot easier to do then things like NIST, which tend to be more like a journey. They want to walk you through a lot of things that your organization has to consider and how to do those things. The Center for Internet Security Critical Security Controls is more of a list, more of a checklist. So I think that’s an easier framework for a small business to meet.
Q&A: What is the legal definition of “Safe Harbor”? (38:49)
The legal definition of safe harbor – Brian or Greg?
I’ll jump in real quick. So the term safe harbor was used in the legislation itself, but as I mentioned as I went through some limitations, it’s a bit of a misnomer, you know, to extent it’s used in some other context. Qualifying for the Ohio Data Protection Act defense does not absolve you from any potential liability relating to a debt incident or alleged breach. It will, however, absolve you from tort liability under Ohio law or, you know, or in Ohio Court. So it is specific to those tort claims and in those contexts.
Safe harbor was used to try to highlight the fact that this really is an optional, as Greg emphasized, opportunity to get a benefit by doing what you hopefully are doing from a business perspective anyways, which is trying to have a good cybersecurity program. But you still have potential other liabilities, regulatory risk. You know, there are some other creative theories that are out there, as I mentioned, that you might end up having to defend against on the merits. But as I also mentioned, by trying to comply for the Acts protections, you’ll be doing what you should be doing from a business perspective anyways, and that also will put you in an excellent position to defend against those other risks, even though this specific defense the Ohio Data Protection Act provides won’t be available.
Q&A: Companies unaware of the law, mostly out of state, have pushed back on the required language being added to contracts, because they want to keep their standard form of agreement intact. What is the best way to convince them to add the necessary language? What about difficulties in changing jurisdiction in contracts? (40:15)
I’ll jump in on this one. I’m reading it to be asking, or to be positing, that many companies, when approached by a partner or advised by an attorney, to try to put a choice of law or choice of jurisdiction clause, I think that’s what they mean by the required language, but the Ohio Data Protection Act doesn’t itself have any required language. But anyway, read that way, I would say there are a set of business considerations that you want to take into account when deciding whether the benefits of the Ohio Data Protection Act merit trying to change a choice of law or choice of jurisdiction clause, because obviously those are often included for other business reasons.
Although in many instances in fact, there’s just a kind of default that the parties pick out of out of a general perception that say, New York or Delaware law is likely to be relatively more friendly in a particular context, and so the extent you haven’t otherwise chosen your choice of law or choice of jurisdiction for specific reasons, the Ohio Data Protection Act might give you a particular reason to choose Ohio. This again assuming there isn’t some other set of concerns out there.
Q&A: Are there plans to advertise and provide awareness for small businesses so they can begin to think more proactively about their security needs? (41:31)
Katie, I see that we have another question, but I can’t seem to read it.
I’ve got it. So this, and this is a good question, it sort of relates to number three: are there plans to advertise and provide awareness for small businesses so they can begin to think more proactively about their security needs? I mean, Tim you started to address this at number three, I don’t you want expand a little bit, or Greg expand a little bit on some of the other things that are being done by CyberOhio and others?
Maybe I’ll start with that Tim. Is that as both Brian and Tim kind of mentioned a little bit there is that, one of the main focus points for CyberOhio at this point is to essentially spread the word about the Data Protection Act. So whether it’s a presentation in Cleveland, Toledo, Cincinnati, Columbus, any county in between, we’re here to help kind of essentially spread the word about that.
You know it could be from your organization, if it’s just say your business, we can come talk about it or even say professional group like a Chamber of Commerce or something like that. You know we’re happy to come, and CyberOhio is happy to come and kind of chat a little bit, kind of did explain as we’re doing today, the parameters of the Data Protection Act.
We’re also looking as far as going forward too at CyberOhio. Kind of how can we, I would say, refine our message a little bit with the Data Protection Act. And what I mean by that is maybe it is a kind of statewide effort involving, you know, some of the members of the Governor’s Administration, essentially where we have a press conference, almost like a call to action, where we’re getting the word out from persons in the administration, and then we kind of have checklist, or just kind of materials for folks to kind of evaluate. But then kind of revisit it, you know, in six months or in a year or something like that, as to continue this kind of outreach effort and see if we can’t improve upon our numbers as far as businesses who are evaluating their cybersecurity risks. So that’s something CyberOhio is now working on essentially is that kind of centralized message to get out across the state going forward.
And I’ll add, we’ll circulate to everyone who sign up for this webinar a white paper that I’ve been working on with a law professor at Ohio State, Denis Hirsch. Microsoft actually approached us, because they’re actually interested in promoting the protections the Act provides. They think it syncs well with some of the security offerings they have in their cloud product. But anyways, we did an independent analysis that kind of goes into more detail around the points that we made today, and we’ll, as soon as it’s ready, it’s almost done being produced, we’ll circulate it to everyone here.
And I know all of us have been involved in events, both here and outside of Ohio. My Center, we’re doing our conference May 30 and 31, and both Tim and Greg are coming, and we’ll definitely have, if not a dedicated session, at least a good chunk of the conversation, around the Ohio Data Protection Act.
Poll Question: (44:22)
Why don’t we go to the poll, and while we take the poll we can wait and see if we have any other questions. So the question is, are you considering improving your organization’s cybersecurity controls as a result of the Ohio Data Protection Act, and we were hoping that the attendees could tell us what they think regarding this, and you know, we will share the results with you now.
Q&A: Will there be opportunity for MSPs to become involved as certified vendors to help small businesses become secure and qualify for the Ohio Data Protection Act’s protections? (44:49)
Okay, and we did get one more question. Will there be opportunity for MSPs to become involved as certified vendors to help small businesses becomes quote secure and qualify for the protections?
I’ll start with responding to that one there. The short answer is no, not at this point. You know that New York legislation that I that I mentioned there? They kind of have a, I would say a kind of cottage industry or kind of part of the legislation is that there was a certification process. Essentially New York, they would evaluate certain managed service providers, and essentially they would have a group of them that would go across the state and evaluate companies and essentially say yes or no as far as where the company is complying with the New York law.
Our Advisory Board certainly discussed that model, but it was something that ultimately we decided not to go forward with for a couple of reasons. I guess practically speaking, when you’re talking about the General Assembly, you know some sort of agency or group within the government that would, who essentially be in charge of that, it’s going to cost money, it’s going to cost time, and it makes it difficult to kind of get legislation through whenever you to attach a large price tag something at the General Assembly there.
And that’s kind of the reason I would say is that this legislation is kind of a first step, it’s not something to say, we’re not saying that this isn’t the only thing we’re going to do here in Ohio. But at a minimum we just kind of wanted to start there, start an affirmative defense before we move into some sort of certification process. But at the same time too, kind of another reason why we decided that that wasn’t a model that we wanted to go forward with too is that, is that sometimes when businesses, when they get a certification or when they kind of just check those boxes, they start becoming a little bit lax in their cybersecurity procedures.
Instead we wanted in businesses to continually work on their cybersecurity, you know, that kind of cyclical process. We don’t want them kind of just saying, hey, at one time, here’s my certificate. I shouldn’t be held liable. We want them to continue to work, not only right now, but in the future as well. Again, we kind of didn’t want just one point in time, we wanted the holistic approach to improving cybersecurity there. But I don’t know if Tim or Brian, any other thoughts on that too?
The only thing that I would add is that one of the things that we were concerned about was adding to the cost of compliance with the Ohio Data Protection Act, so if you were required to use a certified vendor or a company in order to show substantial compliance, we were concerned that that would raise the cost. So we shied away from that and instead that’s why we stuck with publicly available frameworks and things that you could do on your own, as well as continue to do it the way you’ve been doing it as long as you’re practicing, you know, the ongoing improvements to your cybersecurity plan.
Just to add real quick, that even though there’s, as Greg and Tim mentioned, that there’s absolutely no sort of defined specific certification you can get, it’s nonetheless absolutely the case that it can help a lot to have an independent entity advise you and help you create that record.
And so you know there’s certainly a business opportunity there for qualified providers, who are already doing this work, to fold into it some thoughtful procedures that would allow you to document and give a kind of, the kind of attestation that Tim mentioned that says, yeah, you know what, in my in my view it looks to me like you’ve conformed with X and you’ve qualified for the Ohio Data Protection Act. It won’t have the weight of a formal certification like in New York’s model, but it certainly will have some weight and value.
Poll Answer (48:33)
So we see the results of the poll, and I think that it shows very positively that people believe that this is going to have an effect on encouraging organizations to practice better cybersecurity. That was certainly the Attorney General, now the Governor’s, intent when he encouraged the CyberOhio panel to come up with something which was unique. And Greg, have you seen any other polls regarding this, and what have they shown? Are they, have they been similar?
They have been similar. I’ve seen a couple other of the information polls as well too, and I would say probably around the two-thirds mark, rather similar to this one too, as far as the effect of the Data Protection Act. Now as Brian mentioned, you know it will be interesting to see as far as once we took courts and kind of how that will affect our numbers there, but at this point the response has been positive to the Data Protection Act.
Q&A: Theoretically, why didn’t we go the way of PCI? (49:32)
We had one more question.
Which Tim, you can answer quickly, theoretically why didn’t we go the way of PCI?
So if the intention that question is why wasn’t just PCI good enough, and the answer is that, because PCI only addresses a very small subset of the security controls that are found more broadly in some of the other frameworks. So it was very narrow in terms of those security controls which are linked more towards the, you know, the retention and protection and privacy of credit card information, and that’s why you’re required PCI Plus, you need to have one of the other frameworks in addition to PCI.
And one of the questions that’s come up in some of the commentaries, well why would anyone bother with PCI Plus? That seems more burdensome than just qualify under the frameworks.
At least in our analysis the better reading of the Act is if you are subject to a tort claim that’s related to PCI covered information, well that’s the route that you’re essentially required to take under the Act. You’ve got to demonstrate you conformed with PCI, because you had that regulatory responsibility anyways, and you’ve got to show more generally that you’ve conformed one of the broader frameworks.
Or it’s a contractual responsibility as well.
Right, right, well there’s that aspect as well.
But I’d just like the close and thank everybody for attending. On behalf of Greg and Brian and myself, thank you for spending the last hour with us, and we will make the recording available for you. Thank you very much.