Lawmakers offer legal carrot to defeat data breaches

11/3/2017
BY JIM PROVANCE
BLADE COLUMBUS BUREAU CHIEF
  • Drugmakers-Lawsuit

    Ohio Attorney General Mike DeWine

    THE COLUMBUS DISPATCH

    • COLUMBUS — Businesses that take certain steps to secure their customers’ sensitive information could be protected from a lawsuit later if a hack still occurs under a recently introduced bill.

    Senate Bill 220 is designed to encourage businesses of all sizes to voluntarily act in exchange for the promise they could later assert an affirmative defense in court that they’d been proactive.

    “Those business that take reasonable precautions and meet these important standards will be afforded a safe harbor against claims should a data breach occur ...” Ohio Attorney General Mike DeWine said. “To trigger the safe harbor provision, businesses must create their own cyber-security programs that meet certain standards.” 

    The proposed Data Protection Act is the first bill to emerge from Mr. DeWine’s cyber-security task force of business leaders, information technology experts, and law enforcement created in the wake of high-profile hacks of consumer information.

    The bills’ backers stressed the measure does not lay out a minimum set of standards that, if not met, could serve as grounds for litigation in the event of a breach.

    “Minimum standards don’t evolve, frankly, very well ...” said Kirk Herath, vice president and chief privacy officer of Columbus-based Nationwide Financial Services and a member of Mr. DeWine’s CyberOhio Initiative panel.

    “The main thing that we wanted to do was create a set of frameworks that were evolutionary and evolved with risk ...” he said.

    Sen. Bob Hackett (R., London), one of the bill’s sponsors, said this process also means lawmakers won’t have to continually revisit the issue to update a minimum set of standards.

    Protections for a business that acts proactively could begin as soon as it sets itself upon that path. The business would be given a year to come up with its own program in writing using one of eight industry-specific frameworks developed by the National Institute of Standards and Technology.

    The business would then have another year to implement the plan, during which it could conceivably offer the affirmative defense in court if a hack occurs.

    It would still be up to a judge to determine whether a business met its burden to qualify for the safe harbor from litigation.

    “There would be no certification ...” Mr. Herath said. “You would make the defense, and then you would have to prove it in trial. It’s very fact-sensitive, and this is not a get-out-of-jail-free [card] by any means. You would still have to show all the work.”

    The measure provides no financial assistance to businesses to participate.

    “Effective cyber-security should be considered an investment,” Mr. DeWine said.

    Contact Jim Provance at jprovance@theblade.com or 614-221-0496.