For a business, there’s not much worse than becoming the victim of a cyberattack. First there’s the cost and downtime that comes with having to purge your network of all embedded cyberthreats. Then there’s the problem of company reputation. No one wants to work with an organization that has recently suffered a data breach. Last but not least, there’s the insult to injury which often comes in the form of costly litigation.
If you own a business in the state of Ohio, however, the tides may be changing for the better. Ohio has implemented into law a plan aimed at protecting businesses from legal claims after a data breach. Senate Bill 220, also known as the Ohio Data Protection Act (DPA), is the first of its kind in the US. Here is everything you need to know about the newly enacted law.
The Ohio Data Protection Act
Businesses, both big and small, are prime targets for data theft. Cyberattacks are not only growing in frequency, but also becoming more sophisticated and difficult to deal with. The consequences that come after a cyberattack can be devastating and, in some cases, can result in a business being forced to close its doors. The best way to avoid becoming a victim of a cyberattack is to have an effective cybersecurity strategy.
While you may have the appropriate cybersecurity you need to keep your business safe, that’s not true for every company. Many organizations forgo implementing security measures for one reason or another. To get businesses like these to improve their security posture, Ohio legislators signed into law the DPA in November 2020. This Ohio cybersecurity law aims to incentivize businesses to adopt protection policies that can keep them safe.
Why Is the Data Protection Act Important?
As mentioned earlier, one of the biggest consequences of a data breach is having legal claims thrown at your business. This new law offers safe harbor from legal claims if the business implements, maintains, and complies with one of several industry-recognized cybersecurity programs. Essentially, what this means is if your business put in the effort to protect its sensitive information, yet a data breach still happened, you can use the DPA to guard against legal action.
Within Ohio data privacy laws, the DPA is recognized as an established and credible defense. A company that is seen as being DPA compliant can use this law to fend off any claim related to the cyberattack. As a result, the DPA can help your business dodge the costs of court judgements and prolonged litigation. It is a rather effective incentive for a business to achieve cybersecurity compliance.
However, the act wasn’t made for the purpose of creating a minimum standard that must be achieved. It also wasn’t created to impose liability on businesses that don’t comply. It’s simply a law that is designed to encourage Ohio businesses to achieve a high level of cybersecurity voluntarily.
Qualifying for the Data Protection Act
In order to take advantage of this benefit, it’s necessary for your business to have a cybersecurity program. The program must:
- Secure any personal information in your company’s possession.
- Protect against potential threats to the security or integrity of any personal information,
- Defend against unauthorized access to and acquisition of data.
The scale and scope of the program depends on a few factors like:
- The size and complexity of your company
- The nature of your operations
- The level of sensitivity of the information you manage
- The cost and availability of cybersecurity tools and solutions
- The resources you have at your disposal
Additionally, it’s required that your business “reasonably” complies with cyber regulations such as:
- National Institute of Standards and Technology’s (NIST)
- Federal Risk and Authorization Management Program (FedRAMP)
- Center for Internet Security’s (CIS) Critical Security Controls for Effective Cyber Defense
- International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27000
Payment Card Industry Data Security Standards (PCI-DSS)
How CTMS Can Help
Implementing cybersecurity solutions is what we do best at CTMS. As your managed security service provider, we deploy a variety of security measures that maximize your security posture. With our solutions, our team can help you achieve the compliance necessary to benefit from Ohio’s data protection act.
Contact us today to get started.
