Ohio Senate Bill 220 Incentivizes Businesses to Maintain Higher Levels of Cybersecurity

In the last two years alone, there has been a number of high-profile breaches that have given organizations pause, asking them to consider whether the same kind of event could happen to them. After all, a cybersecurity breach could seriously damage or even level your business if you’re not prepared and do not have the appropriate security programs in place. We’ve seen the implementation of the NYDFS Cybersecurity Regulation, and recent breaches have led to serious fines, potentially in the billions, for violating GDPR.

Most recently, we saw the Ohio Senate Bill 220 (S.B. 220) signed into law and go into effect as of Nov. 2, 2018. S.B. 220, known as the Data Protection Act, serves as an incentive to businesses to ensure that they achieve and maintain a higher level of security by maintaining industry-standard cybersecurity programs.

Recent research has shown that the average cost of a data breach globally is $3.86 million – an increase of 6.4 percent from 2017. As data breaches are growing in prevalence and the cost to organizations continue to rise, S.B. 220 serves as a legal “safe harbor” for firms operating in Ohio, if they’re sued for negligently failing to implement reasonable information security controls resulting in a data breach. The organization can use its compliance with the cybersecurity control as an affirmative defense, assuming it is in compliance with one of eight industry frameworks:

• NIST SP 800-171
• NIST SP 800-53 and 800-53(a)
• The Federal Risk and Authorization Management Program (FedRAMP)
• Center for Internet Security (CIS) Critical Security Controls
• The ISO 27000 Family
• The HIPAA Security Rule
• Graham-Leach-Bliley Act
• The Federal Information Security Modernization Act (FISMA)

It is important to note that the Data Protection Act “does not, and is not intended to, create a minimum cybersecurity standard that must be achieved,” and it is not to “be read to impose liability upon businesses that do not obtain or maintain” a cybersecurity program that is compliant with one of the eight recognized frameworks listed above. In fact, the bill highlights that there is no silver-bullet approach to cybersecurity, and in order for an organization to call upon the “safe harbor,” it needs to have a program with a scope and scale appropriate to factors like the size and nature of the business, and the level of personally identifiable information it collects and carries.

In the end, it pays for companies to implement proper cybersecurity programs, because it reduces the risk of breach and it mitigates legal risk if a breach occurs. At the same time, cybersecurity protections are still evolving, and organizations are starting to understand that when they focus solely on network security, web application firewalls, or data leakage prevention tools, they are leaving vulnerable a key attack surface: its web applications.

The past few years have seen a marked increase in the number and severity of successful attacks aimed at the application layer, and our State of Software Security report has shown that 85 percent of applications have at least one vulnerability on initial scan. To begin implementing an AppSec program that scales to the size and needs of your organization – and reduces the risk associated with building, buying, and borrowing software – download our Ultimate Guide to Getting Started with Application Security.