Ohio’s ‘Data Protection Act’ can shield higher ed against breach lawsuits

A new and unconventional Ohio state law that is enticing organizations to practice good cybersecurity hygiene is a major win for higher education.

The first-if-its-kind state law, called the Ohio Data Protection Act, went into effect November 2018, a recognition from lawmakers that data breaches can happen even to the best-prepared organizations. The law provides businesses, including universities and colleges, an “affirmative defense” — or an opportunity to negate liability of alleged unlawful conduct — to lawsuits arising out of data breaches, so long as an organization can prove it had a cybersecurity program in place that conforms with industry standards.

The new law is novel because it presents organizations with an incentive to enact industry-supported information security programs, and promises to protect organizations against lawsuits if they’ve followed information security programs in the manner the law prescribes. Most similar laws are based on punitive pressures, such as fines, regulatory actions, or lawsuits.

The law does not create a minimum cybersecurity standard that businesses in Ohio must follow, nor does it prioritize one industry-recognized cybersecurity framework over another.  Yet, the safety net provided by affirmative defense recognizes that “data breaches happen.”

Draft legislation did not originally include higher education institutions in its definition of “businesses,” but an amendment last month ensures both public and private educational institutions are protected. This is good news for higher education institutions in Ohio because it means that if they can demonstrate compliance, they will be able to use the affirmative defense should they be sued in Ohio for a data breach that disclosed personal information.

It is also good news for institutions not located in Ohio that may experience a data breach involving the personal data of Ohio residents. Those organizations can also take advantage of the affirmative defense in any data-breach case initiated in an Ohio court.

A long time coming

Colleges and universities are particularly well-suited to take advantage of the Ohio Data Protection Act because of their long history of being subject to laws and regulations surrounding the different types of personal data that they collect. Laws like HIPAA and the Gramm-Leach-Bliley Act have long mandated the creation of cybersecurity programs.

Higher education institutions can take maximum advantage of the new law by adopting a unified compliance approach for their cybersecurity programs. Rather than limiting the auspices of their programs to various data elements or regulations, campus cybersecurity programs should be based on an industry-recognized standard, implemented on an institution-wide basis, and then scoped appropriately for the needs of each institution.

Institutions should also follow good information security governance practices like ensuring that programs are well-documented, that staff and faculty receive training on the program, and that reviews regularly take place to document institutional compliance with program.

David Seidl, chief information officer for Miami University in Oxford, Ohio, agrees the Data Protection Act is a win for higher education in Ohio.

“The amendment to the Ohio Data Protection Act was something we were really pushing for,” Seidl said. “Many colleges and universities have already adopted elements of the standards described in the Act. Now each institution has the opportunity to assess what they are doing and to align their policies and programs to eliminate the often-fractured islands of mandated compliance, allowing them to take advantage of the affirmative defense. It can help CIOs and information security officers push forward consistent security practices and policies organization wide.”

Permitted frameworks

To take advantage of the safe harbor, businesses must “create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards” for the protection of personal and/or restricted information. The program must be based on a current version of one of the following industry-recognized frameworks:

1. The NIST Cybersecurity Framework (CSF)
2. NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations)
3. NIST SP 800-53 (Recommended Security Controls for Federal Information Systems and Organizations) or SP 800-53a
4. Federal Risk and Authorization Management Program (FedRAMP)
5. Center for Internet Security’s Critical Security Controls
6. International Organization for Standardization/International Electrotechnical Commission’s 27000 Family – Information Security Management Systems

This new law represents a novel approach to encouraging businesses follow formalized cybersecurity frameworks to secure personal data. If Ohio can show that the law is successful, other states may be persuaded to enact similar laws in the future.

This article does not constitute legal advice. Organizations seeking advice on the application of the Ohio Data Protection Act or any of the laws mentioned in this article should consult with their legal counsel.

 Joanna Lyn Grama, JD, CISSP, is a senior consultant at Vantage Technology Consulting Group where she advises clients on information security policy, compliance, governance and data privacy issues.