Ohio’s Data Protection Act: What you need to know
We’ve written a lot about cybersecurity and why it’s so important to protect your customer’s sensitive data from cyber-attacks. We don’t write these articles with the intent to scare you, or to try and get you to purchase software you don’t need or implement data security plans that don’t match the scale of your business.
The goal of these articles is to help you prepare and defend your business against these attacks.
The Ohio Data Protection Act
If you still haven’t taken the necessary steps to protect your data, maybe Ohio’s new Data Protection Act (DPA) will offer the additional (legal) motivation you need. The DPA “provides a safe harbor against data breach lawsuits for businesses that implement and maintain cybersecurity programs that meet certain industry-recognized standards.”
What does this mean? In its simplest form, if your business implements and maintains an effective cybersecurity program, as outlined by the DPA, you may receive special protection from litigation in the event of a security incident or breach.
Why is this important to my business? Some cyber-attacks may be unavoidable. However, if your cybersecurity “reasonably conforms” to the Ohio Data Protection Act standards it can protect your business against lawsuits from customers (and other companies) whose private data was accessed by unauthorized third parties.
What are the DPA standards? To take advantage of the safe harbor provision, your cybersecurity program must:
- Protect the security and confidentiality of personal information
- Protect against any anticipated threats or hazards to the security of that information
- Protect against unauthorized access to that information
In addition, the DPA recognizes there is no one size fits all approach to data security, and a small mom and pop craft store, for example, should not have to meet the same level of cybersecurity as a bank which is responsible tons of highly sensitive data. Thus, the DPA says that an effective program takes into account:
- The size (and complexity) of the business
- The nature of the business and its activities
- The sensitivity of the information that needs to be protected
- How expensive it is and the tools available to improve security and protect against attacks
- Business resources available
Finally, your business must reasonably conform to one of eight cybersecurity frameworks:
- NIST
- HIPAA or HITECH
- FedRAMP
- GLBA
- CIS Controls
- FISMA
- ISO 27000 Family
- PCI DSS
What’s the next step for my business? Implement a cybersecurity program immediately!
We can’t stress this enough. Cyber-attacks destroy businesses every day. A proper cybersecurity program not only can prevent these attacks from happening, but in the rare event attackers still find a way past your security, you can be protected from lawsuits that can bankrupt your business.
If you or your IT department are familiar with the above frameworks, great! Get started implementing your plan today.
If you need any help creating your cybersecurity plan, or simply want more information on the new Data Protection Act, please give me a call directly at 330.572.7575, or email me at pat@pcrbusinesssystems.com.
I’ll be happy to answer any questions you may have, or we can schedule a Free IT Discussion to chat about you current cybersecurity program to see if it meets the DPA standards.
Pat Carroll
President, PCR Business Systems