As of November 2, 2018, Ohio’s Data Protection Act, also known as a “safe harbor” law, grants businesses protection from lawsuits relating to data breaches if they are reasonably complying with industry-standard and federal regulatory frameworks. This groundbreaking legislation may soon be mirrored by other states but is limited to Ohio for now.
To qualify for “safe harbor,” as it were, a business must design its cyber security strategy to:
- Protect the security and confidentiality of confidential information
- Protect against any unanticipated physical or cyber threats or other hazards to that information
- Protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates
Cyber Security Frameworks Enumerated in the Law
The three provisions listed above can fit under a variety of regulatory frameworks. This means that businesses, including those in the healthcare industry, that reasonably conform to these frameworks are granted safe harbor. Although safe harbor does not provide total immunity—and thus businesses cannot use it as an impenetrable shield—it does offer protection against torts, which can result in closed businesses, especially for smaller operations.
The Regulatory Frameworks Under Safe Harbor:
- National Institute of Standards and Technology (NIST) Cybersecurity Framework
- NIST Special Publications 800-53, 800-53A, or 800-171
- Federal Risk and Authorization Management Program Security Assessment Framework
- Center for Internet Security Critical Security Controls for Effective Cyber Defense
- International Organization for Standardization/International Electrotechnical Commission’s 27000 Family – Information Security Management Systems
- Health Insurance Portability and Accountability Act (HIPAA) of 1996 Security Rule
- Health Information Technology for Economic and Clinical Health Act
- Title 5 of the Gramm-Leach-Bliley Act of 1999
- Federal Information Security Modernization Act of 2014
Reasonably Conform—What Does That Entail?
There are some situations where safe harbor will not apply. This can include a breach of contract or a violation of other law. Safe harbor is designed as a defense against tort claims claiming that the security protocols mandated by the regulatory standards mentioned above were not met.
To use a safe harbor defense, an organization must demonstrate that they have taken steps to meet all of the requirements under a given framework. Moreover, when these frameworks are updated based on new technology or processes, organizations have one year to conform or they may be forced to abandon the safe harbor defense.
Because many of these regulatory frameworks can be general in their suggestions whereas others can be quite specific (like HIPAA’s 29 required organizational policies), it can be hard for businesses to know if they are meeting standards or not. This is especially complex based on a variety of factors: the nature of the information being protected, the size of an organization, the resources available to that organization, and the availability of compliance tools.
In this sense, a cyber security solution provider like Computer Technology Management Solutions may be required so that organizations can mount the best defense possible and avoid being put out of business. Surveillance and cyber security solutions are not just crucial to keeping a business running efficiently; they are vital to keeping an organization running at all.
Industrial Cyber Security Solutions
Depending on the industry, compliance with one or more cyber security frameworks is critical to ensuring efficient operational functions and privacy. Although compliance can seem like a burden at times, through the Data Protection Act Ohio has added an extra layer of defense and protection for businesses and other entities that are making their best effort to conform and protect patients and other entities they may work with.
By consulting with a cyber security solution provider like CTMS, business owners and IT directors can improve their chances at fighting torts and reduce the risk of harmful data breaches.