BY SVIATLANA LIASHCHYNA
as seen in Issue-34 of a360inc's Compliance Newsletter
Up until recently, the default legal services industry was used to seeing information security laws and regulations that provided for specific actions that needed to be taken or for penalties for non-compliance with the specific requirements. This month, Ohio passed a state law (Bill SB 220) that took a different approach and encourages businesses to establish stronger information security controls through providing a safe harbor protection to tort actions alleging that failure to implement security controls resulted in a data breach. The new law does not create minimum cybersecurity standards that must be achieved, nor does it imposes any liability on businesses that fail to meet any legal requirements. Instead, the Act enables businesses to use implemented internal cybersecurity programs as an affirmative defense in tort actions raised out of data breaches.
The new law provides that the cybersecurity program defense can be raised if it:
Regulated entities should comply with the security requirements of such industry-specific acts as the Health Insurance Portability and Accountability Act (HIPPA) or the Gramm-Leach-Bliley Act (GLBA).
Businesses may structure their programs based on:
Although this is a state law applicable to OH businesses in OH courts, itis does not bar litigation entirely, and it is not clear how significant the protections are, it is still worth noticing because it introduces a new state legislation trend (incentive vs. specific requirements); and it highlights the importance of the implantation of internal security controls.
The list below highlights some of the benefits of having a solid internal cybersecurity program in place.
Information security policies and procedures are an important part of any firm’s compliance framework. Firms should ensure that their programs not only meet their specific client requirements, but also comply with the industry’s information security standards. Engaging a third party with the appropriate level of expertise could be the most effective and cost-efficient solutions for law firms.
Sharing trends and best practices to help you improve your processes and maximize your profitability.