Ohio’s Safe Harbor Act: 2023 Updates

Safe Harbor Act, Ohio Data Protection Act

If you are working with an IT service provider such as  Intrust, know that you DO NOT have to know about current data protection because we handle it for you. But, you do need to know what the state of Ohio’s Safe Harbor Act requires to make sure your cyber security insurance contract will provide “reasonable” cyber security controls.

In 2018, the State of Ohio enacted the Ohio Data Protection Act (SB 220) for businesses to ensure “reasonable” cyber security controls are implemented and maintained. It is called the Safe Harbor Act. Utah and Connecticut shortly followed in 2021.

The act  is designed to protect the security and integrity of personal information against anticipated threats, and unauthorized access to and gathering information that could lead to identity theft.

According to Tech Beacon, “the law’s protections are noticeably limited in scope to certain types of tort claims, leaving even those businesses that have robust cyber security programs vulnerable to statutory violations, such as data breach notification requirements, or claims based in contract, such as a business-vendor dispute.” The law does not dictate requirements, only sets cyber security parameters.

Tech Republic reports, “The law allows businesses to determine the appropriate framework to follow based on the individualized needs of the business.” 

The Ohio law also requires the cyber security program to be adequate when considering:

  • Resources available to the business.
  • Size and complexity of the business.
  • Nature and scope of the activities of the business.
  • The sensitivity of the information. 
  • The cost and availability of tools to improve security and reduce weak areas.

How to Adhere to the Law

So, what does this mean in plain English?

A SmartBusiness article recently featured an interview with Eric Thal, Managed IT & Cybersecurity Manager at Blue Technologies, Inc. He says, “According to the law, as long as you can show that you’re adhering, or trying to adhere, to an established framework such as The National Institute of Standards and Technology (NIST) Cybersecurity Framework, it will trigger safe harbor protection for the company’s leadership and the organization.”

Thal also notes, “A company doesn’t have to be perfect, but it must, through its practices, show good intent to align with one of the well-established frameworks.”

What Cyber Security Protections Should I Have?

First, implementing multi-factor authentication (MFA) adds an extra layer of security by verifying authorized users with something they know and something they have.

To monitor and prevent breaches, endpoint detection and response (EDR) solutions are crucial. They collect forensic data from workstations and servers, aiding in remediation and preventing similar incidents in the future. Additionally, leveraging email security solutions provided by trusted third-party vendors helps guard against suspicious emails, a primary source of attacks.

We also recognize that people can be a vulnerability. Conducting annual security awareness training empowers employees to be active defenders against cyber risks. 

In the unfortunate event of a breach, having a well-rehearsed incident response plan and conducting tabletop exercises annually ensure preparedness and minimize downtime. Moreover, running penetration tests, performed by third-party experts, provides an objective evaluation of your security measures, aligning with NIST guidelines and fulfilling requirements from insurance companies under the Safe Harbor Act.

By implementing these measures, you can enhance your organization’s security posture and protect your valuable data. 

What Are the Costs of Noncompliance?

Companies that fail to adhere to Safe Harbor Act guidelines not only expose themselves to potential legal issues but also put their brand reputation at stake if protected information is compromised in a breach. The damage caused by such incidents can be devastating.

Breached organizations may lose the ability to process credit cards or may no longer qualify for certain insurance coverage, leading to financial repercussions. Moreover, brand deterioration and reputation loss have tangible effects on the organization’s bottom line.

There is no definitive finish line when it comes to cyber security. To avoid costly disruptions and penalties, it is crucial to partner with a trusted third-party provider that comprehends the prevailing frameworks, understands Ohio laws and possesses the expertise to implement processes and programs that safeguard your business, ensuring compliance with regulatory requirements. 

Having an experienced MSP such as Intrust as your IT partner allows you to be confident that changes in laws such as these are being covered. We keep watch and let you know if something needs to be changed.

Questions on the Safe Harbor Act? 

Not a client? No worries. Contact us or book a no-obligation meeting to learn whether Intrust IT is the right IT and cyber security partner for your business.

Intrust IT Intrustimonials

Intrust Man

Intrust Man may be small, but he is mighty smart. You can trust this clever cartoon hero to provide news you can use.

Share this Blog

Enterprise Password Management Promo Wide

Is Your Name or Birthday a Part of Your Password?

If so, you’re a part of the 59 percent of people who don’t follow proper password hygiene. More than 70 percent of passwords are used for more than one system, meaning if cybercriminals crack one, they can access a lot more accounts.

Our free Enterprise Password Management Guide will give you the best password hygiene practices to help you secure your computer and your business.

Download the Guide

Explore the Latest Trends in IT

Business Continuity Guide for City Managers - Intrust IT

Business Continuity Guide for City Officials

The resilience of a city's operations hinges on its ability to effectively weather unforeseen challenges. From natural disasters to cyber...
Integrating AI for Enhanced Security - Intrust IT

Integrating AI for Enhanced Security

Organizations face an unprecedented array of cybersecurity threats, and now, cybercriminals are actively leveraging artificial intelligence (AI) to help create...
Cybersecurity for Small Businesses Threat Management Strategies - Intrust IT

Cybersecurity for Small Businesses: Threat Management Strategies

The threat of cybercrime looms larger than ever before. With each passing year, we witness a staggering rise in cyberattacks,...
The Crucial Role of Data Backup in Business Continuity and Disaster Recovery - Intrust IT

The Crucial Role of Data Backup in Business Continuity and Disaster Recovery

Data is the lifeblood of any modern business operation. All organizations rely heavily on digital information, from customer and financial...
What is Two Factor Authentication, and Why Does it Matter - Intrust IT

What Is Two Factor Authentication, and Why Does It Matter?

You’ve likely seen security updates on your phone or computer asking you to set up 2FA or MFA to increase...
Should Information Technology Companies Allow Workers 9 Days AFK - Intrust IT

Should Information Technology Companies Allow Workers 9 Days AFK?

At Intrust IT, we know how powerful stepping away from work can be for our employees’ well-being. We became employee-owned...