On August 3, 2018, Ohio Governor John R. Kasich announced that he signed Substitute Senate Bill 220 (“SB 220” or “Bill”) that, in part, affords a litigation “safe harbor” to covered entities that implement, maintain, and comply with specified cybersecurity programs. Covered entities, e.g., businesses, sued after a data breach may be able to avoid liability with respect to certain causes of action. The legislature designed SB 220 to incentivize entities to achieve a high level of cybersecurity. Despite the apparent intent of the law, it is unclear whether the Safe Harbor will provide significant protections and further incentivize good security practices. Below is a summary of SB 220’s key provisions with associated commentary.
The “Safe Harbor” Basics
SB 220 provides covered entities with an affirmative defense to any tort action (e.g., negligence, invasion of privacy, etc.) brought under Ohio law (or in an Ohio court) that alleges a breached entity failed to implement reasonable information security controls.[1] “Covered entities” include any limited liability company, limited liability partnership, corporation, sole proprietorship, association, or other group (however organized).[2]
Generally speaking, to be eligible for the Safe Harbor, an entity will need to establish that it designed, implemented, and maintained its cybersecurity program[3] to:
- protect the security and confidentiality of the information;
- protect against any anticipated threats or hazards to the security or integrity of the information; and
- protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.
If the breached entity can establish that its information security controls met the Bill’s standards, the entity can avoid tort liability despite the breach and any harm suffered by the plaintiffs.
Meeting SB 220’s Security Standards
To obtain the Safe Harbor’s protections, the “scale and scope” of an organization’s cybersecurity program must be tailored to: (i) the entity’s size and complexity; (ii) the nature and scope of the entity’s activities; (iii) the to-be protected information’s sensitive nature; (iv) the cost and availability of tools to improve information security controls; and (v) the entity’s resources.[4] Moreover, subject to certain exceptions[5], an entity’s cybersecurity program will need to conform to industry recognized cybersecurity programs.
To qualify, non-regulated entities (e.g., those whose security is not regulated by the state or federal government), are required to implement a security program that conforms “reasonably” to one of the following:
- the ISO 27000 family – information security management systems.[6]
To qualify, regulated entities (e.g., one whose security is regulated by the state or federal government) are required to implement a security program that conforms “reasonably” to, as applicable, the:
To qualify, entities that accept payment cards can be eligible for the “Safe Harbor,” if compliant with both the Payment Card Industry Data Security Standard and one of the standards articulated for non-regulated entities.[8]
Significantly, eligibility for the Safe Harbor does not require perfect compliance with the laws or standards identified by the Bill. Rather, an entity only needs to establish “reasonable” conformity with those standards and laws.
Challenges
On paper, the Bill appears to provide meaningful protection for entities that face data breach litigation. In order to take advantage of the Bill’s protections, however, entities will have to overcome procedural and substantive challenges:
- SB 220 affords an affirmative defense; it does not serve as an early bar to litigation. The covered entity will need to prove factually that its security controls reasonably conformed to applicable security industry standards. This issue of proof will likely present factual questions that may not be easily resolved through pleading and early motion practice. As such, applicability of the Safe Harbor may not be decided until late in litigation, including during trial.
- While SB 220 indicates that it does not create a private right of action,[9] for non-regulated entities, an unresolved question is whether SB 220 effectively shifts the burden of proof, at least in part. Presently, to impose tort liability, plaintiffs have the burden to prove a covered entity violated its duty of care because that entity did not have reasonable information security controls in place. However, because the Bill establishes an affirmative defense, to be eligible for the defense, the covered entity will have to prove reasonable conformity with one of the specified security standards. That said, even if the Bill effectively shifts the burden of proof, the Bill still provides advantages because it prescribes a limited number of security standards that apply and only requires “reasonable” conformity with those standards.
- After investigating the root cause of a data breach, it is not unusual for an entity to discover a handful of vulnerabilities or errors, which if corrected, would have prevented the breach. An entity that wants to use the Safe Harbor must therefore argue that, despite the breach, its security measures reasonably met the specified standards. Because information security is inherently technical and complex, this can be a difficult argument to make to a jury. This is especially the case where the plaintiff is able to point to a few actions that would have prevented the breach. At the same time, plaintiffs will likely utilize an expert who will testify that the breached entity did not reasonably comply with the specified standards. Overall, because of the “optics,” and the likely existence of an opposing expert opinion, even entities that have “done the right thing” may find it hard to persuade a judge or jury.
- Consumer data breach litigation often involves non-tort claims such as breach of express or implied contract; unjust enrichment; and/or violations of consumer protection or unfair trade practice laws. However, the Safe Harbor does not afford protection from claims arising under contract or statute. Rather, the Safe Harbor limits only tort actions, e.g., negligence and invasion of privacy, against an entity.
Next Steps
SB 220 rewards entities that take proactive steps to design, implement, and maintain cybersecurity controls. While challenges exist in asserting this affirmative defense, entities that carefully construct their information security programs will have more ammunition to fend off tort liability in some cases, including additional settlement leverage. An entity that wishes to take advantage of the Safe Harbor should consider the following steps:
- gain an understanding of the information in its possession (what is collected; how it is collected, stored, and shared) in order to ascertain the necessary scope of its security program;
- determine if the entity is subject to any statutory and/or regulatory information security control requirements, and its current compliance status with respect to those requirements;
- if the entity is not adhering to one of the articulated standards, identify an appropriate standard to adopt in developing the program, and then identify any gaps the entity has;
- design a cybersecurity program that adheres to the applicable standard, and to the extent that such a program necessarily involves a risk-based approach, document the entity’s risk assessment and decision-making process in order to help prove at a later date that its program is within SB 220’s Safe Harbor; and
- implement the program and maintain it over time, including conducting ongoing risk assessments and updating security measures to the extent mandated by applicable security standards.
Notes
[1] Ohio Rev. Code § 1354.02(D)(1).
[2] Id. at §§ 1354.01(B), (D).
[3] Id. at § 1354.02(B).
[4] Id. at § 1354.02(C).
[5] Id. at § 1354.03(A)(1) citing Sections 1354.03(A)(2) and 1354.03(D).
[6] Id. at § 1354.03(A)(1).
[7] Id. at § 1354.03(B)(1).
[8] Id. at § 1354.03(C)(1).
[9] Id. at § 1354.04.
Contributors
Andrew Esptein