Passing with 24 yeas and 8 nays, effective as of November 2, 2018, Ohio Senate Bill 220 was touted as a way to use the ‘carrot approach’ for organizations to increase cybersecurity. This incentive was to encourage the shielding of data breach liability for organizations in certain situations.

Excerpts from the bill are provided below. Note the language used for specifics on conforming and also to what frameworks are applicable.

Two (2) parts of section 3 of the bill (which can be found in full here: https://www.legislature.ohio.gov/legislation/legislation-summary?id=GA132-SB-220 seems to sum up its intentions:

SECTION 3. (A) The purpose of this act is to establish a legal safe harbor to be pled as an affirmative defense to a cause of action sounding in tort that alleges or relates to the failure to implement reasonable information security controls, resulting in a data breach. The safe harbor shall apply to all covered entities that implement a cybersecurity program that meets the requirements of the act.

(B) This act is intended to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action. The act does not, and is not intended to, create a minimum cybersecurity standard that must be achieved, nor shall it be read to impose liability upon businesses that do not obtain or maintain practices in compliance with the act.

The act allows safe harbor, with caveats, to entities with a cybersecurity program that “reasonably conforms” to the current version of any of the following:

• The NIST CSF
• NIST SP 800-171
• NIST SP 800-53 and NIST 800-53a
• FedRAMP
• Center for Internet Security Critical Security Controls for Effective Cyber Defense
• ISO 27000 (The "international organization for standardization/international electrotechnical commission 27000 family - information security management systems")
• HIPAA Security Rule
• Graham-Leach-Bliley Act (GLBA)

The bill uses the language “reasonably conforms,” and specifies the entirety of the standard in question. Having spent a significant time with IT and Information Security professionals, I know that their interpretation of “reasonably conforms” will be all over the place. Even more so, I can imagine attorneys have a lot to say about how to interpret that. Who has seen an organization that has completely implemented the CIS Top 20?

While they do have a lot of overlap, the standards and frameworks that are included in the bill are all very different. What is most interesting to me is the scoping. For example, ISO 27001 is very dependent on the scope of what is included. When considering whether safe harbor will be granted, how will the scope of compliance be considered? What if the breach affects a large amount of data, and only some of the data was in scope and compliant with ISO 27001? Will only the data that was in scope be granted safe harbor, none of it, or some other interpretation?

While I am always glad to see legislators keeping cybersecurity in mind, it seems like this may bring more questions than answers. It will be interesting to see how this new law plays out in Ohio, and if other states follow suit. Each of the 50 states and Washington, D.C. having their own cybersecurity laws could prove a nightmare for organizations as they work to interpret 51 different sets of laws. It could certainly be a boon for attorneys and consultants. Perhaps it is time for the United States to consider federal legislation to provide consistency and clarity for organizations.