An Ohio law taking effect this month creates a safe harbor against certain data breach tort claims. Under the statute, an eligible written cybersecurity program will be an affirmative defense against tort claims brought under Ohio law or in Ohio courts that allege a failure to implement reasonable security measures to protect “personal information” or “restricted information.” This is a unique incentive for voluntary compliance with cybersecurity measures that contrasts to laws in other states, like New York and Massachusetts, that punish noncompliance with cybersecurity provisions.
However, the safe harbor’s utility to defendants will likely be limited due to its nature as an affirmative defense, its limited scope, and its eligibility requirements. As an affirmative defense, the safe harbor will not bar lawsuits. Furthermore, defendants will carry the burden of proving compliance.
The limited scope of the defense also reduces its usefulness. The statute only bars tort claims brought under Ohio law or in an Ohio state court. Eliminating tort claims likely will not significantly reduce a defendant’s exposure because other common data breach claims, like statutory violations or contract theories, would likely still be available. Additionally, in typical data breach cases involving multiple states, plaintiffs can avoid the safe harbor entirely by electing a different state as the forum.
Additionally, proving eligibility for the safe harbor will present significant challenges. To prove the defense, an entity must show that it created, maintained, and complied with a written cybersecurity program. That program must be tailored to the size, complexity, and processing activities of the defendant, the sensitivity of the information at issue, the costs of the tools, and the entity’s resources. It must also be designed to protect security and confidentiality, shield against anticipated threats or hazards, and guard against unauthorized access to and acquisition of information likely to present a material risk of identity theft or fraud. Finally, it must comply with designated industry or government cybersecurity frameworks.
Unlike other state cybersecurity statutes that prescribe specific cybersecurity measures, the Ohio safe harbor is standard-based, making it difficult to definitively prove any element. For example, even when a certification of compliance with a cybersecurity framework is available, the safe harbor may not be satisfied. A certification may address the design of a program, but not whether it was properly implemented or whether the entity complied with it at the time of the breach.
Practitioners should also note that the statute applies to more incidents than Ohio’s data breach notification law. Ohio’s breach notification law applies only to “personal information,” which is a first name or initial and last name combined with another sensitive data element. The safe harbor applies to both breaches of “personal information” and “restricted information.” “Restricted information” is unencrypted and unredacted information that can identify an individual and is likely to result in identity theft or other fraud. Thus, the safe harbor could bar claims from a breach of an individual’s social security number, address, and phone number, while Ohio’s breach notification law would not apply because the breached data did not include the individual’s first name or initial with last name.
While it is unclear whether the safe harbor is sufficiently effective to incentivize voluntary compliance, this statute does indicate a new approach to data security regulation that practitioners should monitor.
Sean Fernandes is an associate at Wyrick Robbins Yates & Ponton LLP in Raleigh, NC.
Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).