The Ohio Cybersecurity Safe Harbor Law protects organizations against suits that arise from data breaches, as long as organizations can prove they’re aligned with one of the well-established cybersecurity frameworks.
“According to the law, as long as you can show that you’re adhering, or trying to adhere, to an established framework such as The National Institute of Standards and Technology (NIST) Cybersecurity Framework, it will trigger safe harbor protection for the company’s leadership and the organization,” says Eric Thal, Managed IT & Cybersecurity Manager at Blue Technologies, Inc. “A company doesn’t have to be perfect, but it must, through its practices, show good intent to align with one of the well-established frameworks.”
Aligning with a framework means adopting cybersecurity measures designed to protect the confidentiality, integrity and availability of all types of critical information against anticipated threats.
Smart Business spoke with Thal about the law and the levels of security necessary to ensure compliance.
Who qualifies for safe harbor protections?
Regardless of the regulatory environment — whether the company is handling credit cards, social security numbers or bank account information — an organization operating in Ohio just needs to adopt any of the well-established frameworks to gain protections in the safe harbor. Organizations can use the frameworks of the International Standards Organization (ISO), Center for Internet Security, NIST, or others. But one thing companies shouldn’t do is spend too much money on this problem because there is no level of protection that is going to completely guard an organization against a breach. Instead, companies should focus on meeting the minimum standards required to ensure a legally defensible position when a breach occurs.
What protections should be in place?
Multi-factor authentication should be in place to verify permitted users when accessing information; using something you know and something you have to authenticate. Endpoint Detection and Response (EDR) should be in place to monitor workstations and servers, collecting the forensic data needed to help organizations remediate and avoid similar types of breaches in the future. Email security solutions through a third party can guard against suspicious emails, which are a primary source of attacks. And because people are often an organization’s most significant vulnerability, annual security awareness training should be practiced.
Having an incident response plan that’s rehearsed through tabletop exercises on an annual basis to simulate what will happen when a breach occurs can go miles to ensure you’re prepared and minimize downtime. The plan will designate who will be responsible for what when a breach is detected. Organizations should also run penetration tests as part of a vulnerability management program, to fully understand their organization’s unique threat surface. It’s best to have third parties conduct these tests to get an objective look at the security measures in place and how well they perform under an attack. These steps align with the NIST guidelines and safe harbor law, as well as fulfill a requirement that insurance companies increasingly require.
What’s at risk if these standards aren’t met?
Companies that don’t adhere to the safe harbor guidelines are not only putting themselves at risk for legal issues but if protected information is lost in a breach the damage to their brand can be devastating. Organizations that are breached could lose the ability to process credit cards or no longer qualify for certain insurance coverage. The many soft costs associated with a breach, such as brand deterioration and reputation loss, are difficult to quantify but are ultimately tangible.
In cybersecurity, there’s no finish line. It’s an iterative process. Avoid costly disruptions and penalties by partnering with a third-party provider that understands the prevailing frameworks, the Ohio law and the processes, and programs that protect the business and ensure it meets regulatory and compliance requirements. ●
INSIGHTS Technology is brought to you by Blue Technologies, Inc.