Request Demo

DFARS, NIST Cybersecurity Framework, ISO

State of Ohio Passes Law That Would Provide Safe Harbor to Companies Standardizing on NIST Standards and More


Originally published in Lexology.

Senate Bill 220, also known as the Data Protection Act, was recently introduced in the Ohio legislature. If passed, the Data Protection Act will create a safe harbor from certain liability as a result of a data breach where the organization has complied with the National Institute of Standards and Technology (NIST) Cybersecurity Framework or certain other cybersecurity frameworks. The NIST Cybersecurity Framework is voluntary guidance, based on existing standards, guidelines and practices, for organizations to better manage and reduce cybersecurity risk. The Data Protection Act was introduced as a way to help Ohio businesses with cybersecurity issues and manage cybersecurity risks.

The Data Protection Act provides that, if covered businesses implement and maintain a cybersecurity program that complies with certain cybersecurity frameworks, then the organization will have an affirmative defense to a tort claim alleging that a failure to implement reasonable security controls resulted in a data breach. In order to qualify for this safe harbor, the entity must implement a cybersecurity program designed to (1) protect the security and confidentiality of personal information, (2) protect against any anticipated threats or hazards to the security or integrity of personal information, (3) protect against unauthorized access to and acquisition of personal information. The scale of the cybersecurity program should be appropriate to the organization based on its size and complexity, the nature and scope of its activities, the sensitivity of the personal information protected under the program, the cost and availability of tools to improve its information security, and the resources available to the organization.

Additionally, the organization’s cybersecurity program must be in “substantial compliance” with one of the following cybersecurity frameworks:

For entities regulated by the state and federal government, cybersecurity programs in substantial compliance with the security requirements of the Health Insurance Portability and Accountability Act (HIPAA), Title V of the Gramm-Leach-Bliley Act (GLBA) or the Federal Information Security Modernization Act also qualify for the safe harbor.

The Data Protection Act expressly states that it does not “create a minimum cybersecurity standard that must be achieved” or “impose liability upon businesses that do not obtain or maintain practices in compliance with the frameworks.” Rather, it seeks “to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.”

Ohio Attorney General Mike DeWine has endorsed the legislation, stating “The Data Protection Act is an effort to encourage businesses to take the necessary steps to protect their customer data and avoid costly data breaches. As businesses beef up their cybersecurity, consumers will benefit from the additional protection as well.”

Notably, for businesses that accept payment cards, the Payment Card Industry’s Data Security Standard (PCI DSS) is not one of the cybersecurity frameworks eligible for the safe harbor. So, businesses that currently comply with PCI DSS must also comply with one of the above industry frameworks in order to qualify for the safe harbor. Another potential challenge for covered organizations is that many of the industry frameworks, like NIST, do not have a standard certification process, so proving compliance with the applicable framework may prove challenging. However, given the increasing risk that cybersecurity presents for many organizations, the Data Protection Act if passed may grant some relief. 

CyberStrong supports NIST Cybersecurity Framework, NIST 800-53. ISO27001/2, FedRamp, FISMA, and CIS controls. Adopt, track, measure, and mitigate risk and close gaps all through one pane of glass. CyberStrong is the only platform that allows you to adopt, measure, prove progress and ultimately prove real, evidence-based and measurable adoption of these standards. 

CyberStrong makes proving adoption of these starts straightforward and within reach for Ohio-based organizations who wish to take advantage of the safe harbor that this new law brings to the table. Get a free demo or Contact Us for more information.

Free Demo


You may also like

Why GRC Needs IRM
on August 7, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day ...

Alison Furneaux
SSP and POAM Guidance for DFARS ...
on July 24, 2019

Defense federal acquisition regulation supplement (DFARS) Compliance has been top of mind for Prime contractors as well as Department of Defense (DoD) suppliers since before the ...

Alison Furneaux
Integrated Risk Management Magic ...
on July 17, 2019

It has been roughly one year since Gartner released the 2018 Magic Quadrant for Integrated Risk Management, the first of its kind, and as of this week the second Integrated Risk ...

Alison Furneaux
"Glass-box" Solutions Are Critical ...
on July 11, 2019

With the likes of Equifax and Marriott, it is no secret that cybersecurity has made its way into the Boardroom. While many executives are experienced in managing myriad business ...

Reading Between the Lines of NIST ...
on July 9, 2019

On June 19th, the National Institute of Standards and Technology (NIST) released the much anticipated Rev 2 of SP 800-171 and the working draft of supplement SP 800-171B. As the ...

How We're Making DFARS Compliance ...
on July 2, 2019

With the Department of Defense (DoD) making DFARS compliance a requirement for all contractors doing business with the DoD, a great amount of stress has been put on DoD ...