Although the cybersecurity industry has made great strides recently at reducing the number of digital attacks, bad actors continue to surprise the internet with increasingly sophisticated and clever strategies for breaching online data. This ongoing issue has become a painful and expensive thorn in the side of businesses around the country, many of whom have suffered significant losses, both financial and otherwise, at the hands of hackers. As a result, most responsible entities with an online presence have committed themselves to strengthening and protecting their network systems through robust cybersecurity tools, ongoing training, and sizeable service fees. But despite these best efforts, some organizations still find themselves in hot water when a malicious attack on their system succeeds.
Up until now, the impetus for protection has been on the business itself, who must work with internal audit to maintain and comply with an industry-defined cybersecurity program. Otherwise, they face punitive legal repercussions from both the US government and the public. This relationship has left many organizations around the US feeling abandoned in the deep end of the pool, where there is no safe harbor from the ongoing cyber threats of today. In response, several states, such as California, Delaware, and Connecticut have instituted Data Privacy laws to regulate how personal online information is handled. However, the state of Ohio recently took the trend one step further, when Attorney General Mike DeWine collaborated with Governor John Kasich to implement the Ohio Data Protection Act, (DPA), which took effect on August 3rd, 2018. As the first law of its kind, the Ohio DPA has offered much-needed support to businesses in need of protection after disciplinary action has been taken against them.
The Blame Game
When there is a data breach, people always look for someone to blame, and this responsibility typically falls on the shoulders of the victimized company. In truth, even relatively insignificant attacks can result in the loss of sensitive information, which means companies are always on the lookout for ways to limit their liability. The Ohio DPA essentially offers “safe harbor” to any business that “accesses, maintains, communicates, or processes personal or restricted information” by providing them with an affirmative defense in data breach claims on tort law. By invoking this defense—assuming the case arises under tort law and falls under Ohio jurisdiction—businesses can refute liability in certain cases where they are accused of failing to implement reasonable cybersecurity measures, which resulted in a successful data breach. The measure has resonated so well with businesses, many other states are beginning to follow suit.
Today, the definition of what is “reasonable” in the world of cybersecurity exists in industry-recognized frameworks. Using a series of specialized applications, Apptega can help your organization to easily build, manage, and report a program that complies with any of these standards:
- National Institute of Standards and Technology (NIST) Cybersecurity Framework
- NIST Special Publications 800-53, 800-53A, or 800-171
- American Institute of Certified Public Accountants SOC for Service Organizations (SOC 2)
- Center for Internet Security Critical Security Controls (CIS CSC)
- International Organization for Standardization (ISO) 27001
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule Subpart C
- Federal Information Security Modernization Act of 2014 (FISMA)
- Payment Card Industry standard (PCI) plus another listed framework
- New York Department of Financial Services 23 NYCRR 500 (NYDFS 500)
Any business in compliance with one of these listed frameworks has the freedom to tailor the scope of their cybersecurity program to meet their unique professional needs. Each Apptega application represents an element of control in your company’s larger cybersecurity compliance and management. By sharing data with other applications through a single online dashboard, you can save yourself hours of manual administrative work while offering unprecedented visibility and control of your entire security program. How you design this program will depend on various factors like the activity, size, complexity, profitability, resources, and sensitive-nature of your business. In a nutshell, these frameworks demand businesses implement security programs that protect against these three things:
- Unsafe storage and dissemination of digital data
- Anticipated threats or hazards to the security or integrity of the information
- Unauthorized access and theft of any data likely to result in stolen identity or other fraud
These guidelines offer businesses a way to stay proactive in their cybersecurity efforts while continuing to gather and disseminate sensitive online data. It also incentivizes companies who are not currently adhering to recommended security protocol to get on board and protect themselves—and their customers. With the combined protection of innovative laws like the Ohio DPA and Apptega’s cybersecurity management software, businesses can now find safe harbor in the ongoing storm of digital life.