Ohio may be ahead of the curve.
The Ohio state Senate recently introduced Senate Bill 220 that seeks to create a safe harbor from certain liability provided that various standards of cyber security have been substantially adopted/followed.
The reason for this pending statute is to create an incentive for various entitiesto adopt appropriate standards and levels of cybersecurity, with an apparent emphasis on healthcare-related entities which are in possession of or transmit PHI.
It seems readily apparent that with the passage of time we are out of necessity becoming more digitally connected, and therefore more vulnerable to data breaches. Many experts believe that it is either impossible or impractical to expect that any network is impregnable. From a practical level there is no way to guarantee that a particular system will not be breached. Even if there was an impenetrable network, there are many organizations or entities for which the cost of making their systems secure is more than they can afford.
As it currently stands, if a network is breached, and there are direct damages, the entity that suffered the breach can look forward to being sued by the individuals whose information was improperly accessed. In the cases we read about involving thousands, tens of thousands, or even millions of records that have been breached, the basic line of defense has been an inability to prove damages or harm. So, for example if Equifax was breached, the very basic defense they might have would be to force potential plaintiffs (or victims) to prove that they were damaged. However, if a number of the victims could prove damages a serious mass tort case could develop.
Can or should there be a concept of a safe harbor where a defendant maintains that it has done everything reasonable to prevent a breach, and therefore as a matter of law it is not negligent or liable for the breach? Obviously, being able to assert that type of defense would require both a baseline of what is acceptable cyber security as well as a statute or possibly high court rulings (which would be limited to the geographical jurisdiction of the court) setting forth that a certain level of security would take the victim of the breach (the company) out of the realm of liability for a claim of negligence.
As I understand, that is exactly what Ohio is attempting to do in Senate Bill 220.
Ohio is trying to create a safe harbor while at the same time offer the cybersecurity standards set forth in the statute as a baseline security measures which will incentivize the adoption of those standards.
While Ohio cannot immunizeor create safe harbor for violationsof federal law such as HIPAA and HITECH, it would create a safe harbor for tort actions that arose under common law or Ohio statutes.
Among the safe harbor standards are ANY of the following:
- NIST special publication 800-171;
- NIST special publications 800-53 and 800-53a;
- The federal risk and authorization management program;
- Center for the internet security critical security controls.
While this bill has not yet been passed, the idea behind it seems to be both timely and sensible.
Data breaches are the new reality. Cyberwarfare may in fact be more devastating than conventional arms attacks.
It may be more important to incentivize companies to adopt appropriate standards, than to penalize them when the inevitable breach happens.
What do you think?