If you are working with an IT Service Provider such as Intrust, know that you DO NOT have to know about current data protection because we handle it for you. But, you do need to know what the state of Ohio requires to make sure your cybersecurity insurance contract will provide “reasonable” cybersecurity controls.
In 2018, the State of Ohio enacted the Ohio Data Protection Act (SB 220) for businesses to ensure "reasonable" cybersecurity controls are implemented and maintained. It is called the Safe Harbor Act.
It is designed to protect the security and integrity of personal information against anticipated threats, unauthorized access to and gathering information which could lead to identity theft.
According to Tech Beacon, “the law's protections are noticeably limited in scope to certain types of tort claims, leaving even those businesses that have robust cybersecurity programs vulnerable to statutory violations, such as data breach notification requirements, or claims based in contract, such as a business-vendor dispute.” The law does not dictate requirements, only sets cybersecurity parameters.
Tech Republic reports, “The law allows businesses to determine the appropriate framework to follow based on the individualized needs of the business.”
The Ohio law also requires the cybersecurity program be adequate when considering:
- Resources available to the business
- Size and complexity of the business
- Nature and scope of the activities of the business
- The sensitivity of the information
- The cost and availability of tools to improve security and reduce weak areas.
If it all sounds a bit mystifying, maybe this will help from JDSupra, “The law operates by incentivizing businesses to develop and maintain a cybersecurity program that ‘reasonably conforms’ to an already existing, industry recognized cybersecurity framework. If the company can prove that it had a compliant cybersecurity program in place at the time of a breach, the company can use the program’s existence as an affirmative defense to certain tort claims.”
So, the bottom line is that the law is helpful, but not a guaranteed protection if you are breached and data is compromised or lost.
Having an experienced MSP such as Intrust as your IT partner allows you to be confident that changes in laws such as these are being covered. We keep watch and let you know if something needs to be changed.