State governments have increased their focus on cybersecurity legislation over the past year, attempting to take on the alarming (and highly publicized) tide of large data breaches that have struck businesses in recent years. All 50 states now have data breach laws in place, and many of the bills being passed follow a similar vein, addressing the need for documented security programs and breach notification practices.
A few states have blazed their own path in cybersecurity law (e.g., California and its focus on IoT security). But among these idiosyncratic efforts, the Ohio Data Protection Act (ODPA) stands out for its novel, incentive-focused approach to reinforcing regulation-compliant data protection.
In short, companies meeting ODPA qualifications will be given legal “safe harbor” in the event that litigation is brought against them as the result of a data breach.
To meet the standards for this first-of-its-kind legal protection, organizations must have a written cybersecurity program that is capable of protecting information security and confidentiality. This program must follow the guidelines of a recognized security framework. Those regulated by the state of Ohio or the federal government under HIPAA, HITECH or FISMA are eligible as long as they stay in compliance. For other organizations, a number of regulatory frameworks would allow them to qualify: NIST Cybersecurity Framework, NIST SP 800-53, 53A, or 800-171; FedRAMP, CIS CSC or ISO/IEC 27000.
While the ODPA model might be unique right now, other states may begin to adopt similar approaches. The more the state legislative documents pour through, the more likely that ideas will take hold across state lines. Regardless of whether the carrot or the stick rules the day, organizations should see that the incentives for implementing compliant cybersecurity programs is a must.
Lunarline supports organizations of all types in their quest to achieve and maintain compliance with the regulatory standards that are pertinent to their industry. Our educators and consultants cover areas of expertise ranging from FedRAMP, for cloud-based service providers, to HIPAA and HITECH, for those in healthcare.
For more information on our services, contact the Lunarline team online today.