As a business owner, you may not have cybersecurity at the top of your list of concerns. Cybersecurity is not only for larger companies. Handling customer’s personal information is a need for all businesses and non-profit organizations. It is recommended that your business have a policy documenting how information is handled.
If your business keeps personal information and does not encrypt or redact personal information, then it is recommended that you have a cybersecurity policy in place that matches the Ohio Data Protection Act safe harbor provision. The Ohio Data Protection Act (Ohio Revised Code 1354) was recently amended to add a legal ‘safe harbor’ that is effective November 2, 2018. To qualify for the safe harbor you must have a company policy that meets the safe harbor guidelines. If your business has a cybersecurity breach, a qualifying policy gives your business an affirmative defense in a lawsuit. To qualify, your company must have a policy and follow the policy.
Does your company handle information that should be protected by a cybersecurity policy?
You need to identify if you handle Personal Information and/or Restricted Information. Both of these terms are specifically defined by statute. Personal information is an individual’s name (including first initial and last name) linked to one or more additional type of data. Also, to fit the definition of the name and additional type of data is not encrypted, redacted or otherwise altered to make the data unreadable.
The additional type of data includes a social security number, a driver’s license/state ID number, or a payment account number such as a credit/debit card with a security code allowing access to the account. So the data your business collects needs to have three things to be Personal Information:
(2) an additional type of data
(3) neither the name or additional type of data is encrypted, redacted or unreadable.
If customer information is something publicly available through government records such as court documents or public records (property or tax records), then it is not Personal Information. If customer information is something publicly available in the news media (newspaper, magazine, radio, television), then it is not Personal Information. This exception is not likely to prove useful for most businesses.
The law also addresses Restricted Information, which is less specific than Personal Information. “Restricted information” means any information about an individual that alone or in combination with other information, including personal information, can be used to distinguish or trace the individual’s identity or that is linked or linkable to an individual. Examples of this may be usernames or passwords that your business stores.
If you currently use encryption or redact information stored, you would fall outside of the definition of Personal Information and Restricted Information. Redacted means altered or truncated so that no more than the last four digits of a social security number, driver’s license number, state identification card number, account number, or credit or debit card number is accessible as part of the data.
If the information your business maintains does not meet the definition of Personal Information or Restricted Information, it is not immediately clear what that means for legal liability. The ‘safe harbor’ provision assumes that the definition of Personal Information or Restricted Information applies. Therefore, it is recommended that you have a formal written policy reflecting on how your company handles customer information that follows the ‘safe harbor’ provisions regardless.
Regulated Businesses May Already Qualify for the ‘Safe Harbor’ Provision
If your business is in a regulated industry such as the healthcare industry, the financial industry or works with a Federal government agency, your business may already have compliance policies in place that qualify for safe harbor protection. If your business is subject to the following security provisions, compliance with these provisions are sufficient to qualify for the safe harbor provision:
(a) HIPPA (45 CFR Part 164, Subpart C) – healthcare information
(b) Financial Services Modernization of 1999; Title V or GLBA compliance for financial institutions
(c) FISMA Reform for non-national security federal Executive Branch IT systems
(d) HITECH Act (45 CFR Part 162) – electronic health records
(e) If you work within a non-final version of the payment card industry (PCI) security guidelines, compliance with these guidelines is not sufficient in itself and your policy must comply with industry-accepted guidelines. Once a final version is issued, then compliance with PCI guidelines will be sufficient to qualify your policy for safe harbor protection. A new version was posted May 2018 as version 3.2.1.
What Your Cybersecurity Policy Must Address to Qualify
To qualify for the safe harbor your business must have a cybersecurity policy which:
(1) protects the security and confidentiality of the information;
(2) protects against any anticipated threats or hazards to the security or integrity of the information;
(3) protects against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates. See ORC 1354.02(B)(1)-(3).
Qualification for the safe harbor provision is a sliding scale. Whether a cybersecurity policy qualifies will change depending on the available technology, the size of your business, the information being collected, what is done with the information collected, how much current technology costs and resources available to your business. The short answer – whether your policy qualifies will not be clear unless and until there is a security breach and the policy is reviewed by the courts.
Industry Guidelines for Cybersecurity Policies
Following guidelines provided in the cybersecurity industry is a way to draft an effective cybersecurity policy. The safe harbor identifies organizations that publish or provide industry-accepted guidance on cybersecurity policies. These organizations often update guidelines, so it is recommended to update your policy on a routine basis.
NIST is one organization referenced in the safe harbor provision along with the following publications:
NIST special publication 800-53 and 800-53a relating to Security and Privacy Controls for Federal Information Systems and Organizations and Assessing Security and Privacy Controls in Federal Information Systems and Organizations
International organization for standardization/international electrotechnical commission 27000 family (aka ISO/IEC 27000 family) for information security management systems. ISO/IEC 27000 family is only available for purchase for between $960 – $1200 (depending on if you are an ANSI member)
Do Not Forget to Check your Service Provider’s Cybersecurity Policies
If you are outsourcing services to handle storage or payment information, review your service agreements and look for statements regarding the standard of care provided by your service provider. If you do not see a standard of care statement corresponding to the industry accepted guidelines (summarized above), then consider having a clear standard of care included in your service agreement.
If you are looking for help or guidance writing a cybersecurity policy, please contact us
October 22, 2018
Disclaimer: Note content of this blog post (“post”) is accurate as of the date of writing; laws change frequently and readers should not rely upon the online information. The reader should seek the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient’s state, country or other appropriate licensing jurisdiction.
Disclaimer: The information in this blog post (“post”) is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. No information contained in this post should be construed as legal advice from LRGrunzinger Law Office or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this Post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient’s state, country or other appropriate licensing jurisdiction.