Sometimes, you do the best you can, but things happen anyway.
You follow all the best practices, all your systems are locked down, you spend twice as much as your peers on cybersecurity, you have cyber insurance in place, and a hacker still gets through. You get sued, there's a judgment against your company that's more than the maximum payout on your cyber insurance policy, and you're out of business. Your company is paying the price for something completely out of its control.
Some industries have "safe harbor" laws to protect companies against these kinds of problems. Take, for example, copyright infringement lawsuits against websites. If your website has stolen content on it, then you're in the wrong and should have to pay for it. But what if the stolen content was uploaded by a random user, and you didn't know that the content was stolen? The Digital Millennium Copyright Act in the US and similar laws in most other countries protect companies from lawsuits as long as they do their best to take down infringing content as soon as they're told about it.
Now Ohio has a similar law – but for data breaches. The state’s Data Protection Act went into effect in late 2018 and unlike the recent privacy-related laws passed by California and Colorado, instead of punishing companies when things go wrong, it rewards them for doing the right things.
What the Law Means for Data Center Operators
In many industry verticals, data centers already have to meet cybersecurity standards, so the law will add some legal protections without much additional work.
For example, data centers with customers in the federal government, financial services, and healthcare must comply with FISMA for government, PCI-DSS for payments, and HIPAA for health care.
Those data centers won't need to do any additional work to be covered under the Ohio law, said Michael Magrath, director of global regulations and standards at OneSpan, a Chicago-based security company. "I would expect data center managers to applaud the new law, as it provides safe harbor for their existing business practices," he said.
For data centers that don't currently fall under these regulatory requirements adopting a cybersecurity framework would be a good idea in any case. To qualify for "safe harbor" under the Ohio law, a company must create a cybersecurity program that falls under one of eight such frameworks: two NIST frameworks, FedRAMP, ISO 27000, HIPAA, Graham-Leach-Bliley, FISMA, and the Center for Internet Security Critical Security Controls framework.
The NIST cybersecurity framework is a good place to start, said George Wrenn, founder and CEO at CyberSaint Security, a Boston-based risk management company. This framework was released five years ago and is now a widely used government standard, according to him.
"Framework adoption has drastically helped information security organizations and CISOs – including myself – standardize cybersecurity best practices," he said.
A Positive Step for Cybersecurity
Ohio is leading the way here, said Colin Bastable, CEO at Lucy Security, an Austin-based cybersecurity training company.
"This is a very good contribution to the fight for cybersecurity," he said. "Security starts with written policy, and this legislation rewards businesses and organizations that put in place best-practice security policies."
And even though the scope of the law is limited to the state of Ohio, organizations shouldn’t limit their compliance only to things they do in the state. "It is a good idea to act as if this legislation applies nationally," Bastable said. Even if compliance isn't considered a mitigating factor in a courtroom, using a solid security framework will help reduce the likelihood of a breach in the first place.
However, courts already consider a companies’ security controls, said attorney Jeremy Byellin, VP for law and regulations at Shared Assessments, a Santa Fe-based industry group focusing on corporate risk. "The law is still very new, so it will be interesting to see how it plays out on the legal landscape," he added.
The true impact will only be felt when other states, or even the federal government, roll out similar versions of the law. "There’s no doubt that one or more additional states will follow Ohio’s example," he said. "And it isn’t too far-fetched to imagine the federal government enacting some kind of similar measure."
Limitations of the Law
Until other jurisdictions follow suit, the impact of the Ohio law will be limited.
Unless a data center decides to move to Ohio, the law won't have much practical effect, said Matan Or-El, CEO and co-founder at Panorays, a New York-based security vendor.
"And even if they do, they still will have to go to court and prove that they followed the correct procedures and that the threat was unexpected," he said.
Plus, the law only applies to tort claims, he pointed out. "It does not protect against statutory and contract-based claims, which are common for data breaches.”
Another criticism of the law is that the requirements might not be strict enough, since the cybersecurity threat landscape changes much faster than the frameworks do. "Meeting those should be table stakes," said Willy Leichter, VP of marketing at Virsec Systems, a San Jose-based cybersecurity firm.
Ultimately, businesses have to be accountable for the data they hold. "Letting them off the hook because they gave it their ‘best effort’ or followed outdated standards seems like we’re lowering the bar too far," he said.