In my years at IBM and now at Columbus Collaboratory, I have been asked to build internal programs, software products, marketing organizations and many other forms of business capabilities. The work has been for organizations that range from three employees up to a million employees across a range of industries and maturities. Despite this wide variation, the pattern is simple and repeatable: establish a goal, define agnostic metrics, baseline, invest, measure, and then repeat. The act of establishing agnostic measures doesn’t create maturity, but it establishes visibility and quantifiable evidence for trending and comparison on the path to maturity. Ohio’s Legal Safe Harbor law establishes agnostic measures through ratified cybersecurity frameworks and encourages firms to invest, measure, and mature to meet their specific firm’s cybersecurity objectives.
In August, when the Ohio state senate enacted SB220 — the Legal Safe Harbor law providing protections for those firms implementing cybersecurity programs — it appeared on the surface to take a different approach to security than many other US states. Year to date many states including California, Arizona, Virginia and more have joined their counterparts¹ in crafting or updating legislation that explicitly addresses consumer data protections and breach notification requirements. So why does Ohio’s law, that will go into effect in November², focus on business protections instead?
At its core, SB220 outlines necessary conditions that an Ohio-based firm must have to mount a defense again tort claims brought by individuals whose information was the subject of a data breach. In spirit, however, this legislation’s intention is to provide an incentive for firms across all industries — not just those who submit to previously established cybersecurity compliance frameworks — to establish and strengthen their security programs with three effects:
- Strengthen the security of both their proprietary information and their customer information to reduce the risk of compromise;
- Defend and recover more quickly and effectively in the event that a compromise occurs; and
- Notify the authorities and the affected consumers in a timely fashion and communicate and report on remediation plans
So yes: SB220 establishes legal protections for corporations in the state of Ohio in the event of a data breach, but that is the carrot. The stick that will improve consumer protections, in the face of increasing threats, is compelling businesses to level up their cybersecurity best practices. Every Ohio firm will benefit from a review of current policies and practices and prioritizing where to invest in effort, resources, and technologies to affect a compliant cybersecurity framework. Here’s some guidance on what you should do, whatever the state of maturity of your policies and procedures today:
- Assess your risk. This entails reviewing the sensitive nature of the information and data that flows into, among, and out of your organization in the course of every one of your business processes, and attributing its security value.
- Review your security controls. This entails determining and managing, on an ongoing basis, who can access your data and information and for what purpose. This also requires you to evaluate how information is protected (encrypted) when it is stored, transmitted and applied.
- Evaluate your technology. Determine how much and how rapidly your business will identify its vulnerabilities and be forewarned of threats, and what procedures you will rely upon to address shortcomings and defend or remediate attacks and breaches.
- Assign your management accountability. From the smallest business to the largest enterprise, responsibility for defining security policies, implementing procedures and understanding their effectiveness must be established. SB220 specifically requires that firms document their programs, and while it doesn’t go as far as other legislation that requires each firm to designate a Chief Information Security Officer³, you will want to assign an executive-level owner for creating, implementing and maintaining your policies and ensuring ongoing support from your Board and the rest of your executive team.
- Choose your compliance framework. Ohio’s legislation requires that each firm select from among existing cybersecurity best practices frameworks to documenting compliance. These frameworks are drawn from industries who play key roles in the nation’s critical infrastructure and as such have established frameworks for cybersecurity policies and procedures. Some of these include HIPAA for the healthcare industry, Graham-Leach-Bliley for the financial services industry, and NIST SP 800-171 for the Department of Defense and its partners.
There is a right-sized solution for any sized organization and the degree of risk that you can bear. The Columbus Collaboratory has been partnering with clients to evaluate their operations, the sensitivity of the information that they process in the normal course of doing business, and the application of expertise, best practices and technology to protect that information and defend against threats. The enactment of Ohio SB220 affords your business important legal protections is you do the right thing by your customers and their data. Let us help you take the first steps in levelling up your cybersecurity game and achieving not only compliance but peace of mind.