Momentum is building for federal privacy legislation, with several different proposals circulating in Washington.  Ohio’s new cybersecurity law offers an interesting approach for incentivizing companies to protect their customers’ personal data.

We have written previously on two competing models for cybersecurity regulation—“standards” versus “rules.”  The standards-based approach, historically employed by the FTC and certain state laws, imposes broad, flexible requirements that mandate that a company establish a “reasonable” or “industry standard” cybersecurity program, without specifying how.  By contrast, the rules-based approach to cybersecurity regulation, notably employed by the New York Department of Financial Services and the state of Massachusetts, favors concrete measures that a company must take to be deemed compliant, largely without regard to the company’s particular risks or characteristics.  We have previously detailed the differences between these approaches; both encourage compliance primarily through punitive considerations, i.e., fear that failure to meet the regulatory obligations will result in an enforcement action (on top of whatever damage is caused by the breach).

The Ohio Data Protection Act (the “DPA”) is more of a “carrot” model.  The DPA, which went into effect on November 2, 2018, establishes a limited safe harbor for organizations that suffer a data breach.  Specifically, the DPA allows a covered entity to claim an affirmative defense to a tort action brought under Ohio laws or in Ohio courts, where a data breach is alleged to have resulted from the failure to implement reasonable information security controls.  Ohio Rev. Code § 1354.02(D)(1).  To qualify for the safe harbor, the cybersecurity program must take into consideration the size and complexity of the covered entity, the nature and scope of its activities, the sensitivity of the information to be protected, the cost of available protective measures, and the resources of the covered entity.  Id. at § 1354.02(C).  The DPA requires that cyber programs reasonably conform to an industry-recognized cybersecurity framework so as to protect the security and confidentiality of the information, protect against anticipated threats or hazards, and protect against unauthorized access or acquisition of data.  Id. at § 1354.02(A), (B).

The DPA is certainly an interesting approach, but its immediate impact may turn out to be limited.  First, the law only provides a protection under Ohio law or in Ohio courts, so it may be of little value to entities subject to regulation across many states.  Second, the law only provides a defense against tort causes of action, offering no shelter against contractual or statutory claims.  Finally, the Ohio law places a burden on the affected company to demonstrate the reasonableness of its cybersecurity program, which may require the affected company to participate in limited discovery and disclose sensitive details about its cybersecurity apparatus in and around the time of the breach—potential red meat for litigants as well as intrepid hackers.

Although Ohio’s safe harbor approach is new for cybersecurity laws, there is precedent for offering the maintenance of robust compliance programs as an affirmative defense.  For example, the United Kingdom allows an “adequate procedures” defense against liability for alleged violations of the UK Bribery Act.  Similarly, the Department of Justice has established policies promoting fine reductions, resolution without a monitor, and consideration of a declination to violators of the Foreign Corrupt Practices Act who implement an effective compliance program and demonstrate certain cooperation, remediation, and disgorgement requirements.  Davis Polk has covered these policies in more detail here and here.

The safe harbor approach is also gaining prominence in proposed cybersecurity regulations, featuring in the Shield Act under debate in New York as well as draft federal legislation advanced by a major semiconductor manufacturer last month.

Federal preemption of state law has been one of the points of debate surrounding national cybersecurity or privacy legislation.  Opponents of preemption argue that allowing states to make their own rules promotes experimentation with different approaches, and that it is too early to settle on one national model for data privacy and cybersecurity regulation when so much is still unknown and untested.  The DPA’s incentive-driven approach shows that there are ideas to explore and test in determining the best regulatory framework.  The effectiveness of the DPA will likely inform the ongoing debate and formulation of subsequent legislation.  Davis Polk clients are encouraged to check out the Davis Polk Cyber Portal for tools to manage cybersecurity and privacy regulatory requirements, and to continue to follow the Davis Polk Cyber Blog for more coverage on this topic and other issues in data privacy and cybersecurity.