Ohio Creates Safe Harbor for a Data Breach

As we all read in the news, data breaches seem to occur every day. Ohio has become the first state in the Union to create a “Safe Harbor” for businesses against tort claims if a data breach does occur.

The Data Protection Act changes Ohio law so that businesses that take reasonable precautions and meet industry-recommended standards would be afforded a “safe harbor” against legal claims should a data breach occur. To trigger the “safe harbor” provision, businesses must create their own cybersecurity programs that meet certain standards. The legislation identifies eight different industry-recognized cybersecurity frameworks on which businesses can base their programs.

As a data breach not only damages a business brand but costs the offenders no less than $100,000 and up to millions of dollars, businesses in Ohio should take the necessary steps to ensure their cybersecurity program meets the requirements of the Safe Harbor. While this will cost your business time and money, creating the Safe Harbor is well worth the time and expense to put the program in place.

You will want to discuss your situation with a lawyer in more detail. The Ohio Data Protection Act goes into effect on November 2, 2018.

Data Breaches – They Don’t Always Happen The Way You Think They Do

When most people hear of a Data Breach they think of some bad actor on the Internet using sophisticated software to infiltrate online computers. Like Facebook’s recent data breach, these get a lot of press and big Headlines.

However, in reality, these big news stories are only about 25% of the data breaches that occur. The other 75% breaks down into the three types of breaches I describe below:

1. The Former Disgruntled Employee. These employees used to have access to your customer data and are no longer with the company. However, before the company locked them out of their computers, these individuals took a copy of the company’s user data and are now trying to sell that data, use that data or just make big trouble for the company. Any release of the data they stole creates a data breach and expensive headaches for the company.

2. The Current Disgruntled Employee. These are the employees who feel the company never listens to them, that management is a bunch of fools who could be doing so much more if they would only listen to them, and they decide they are going to go into business and make the kind of money they really deserve. Before they leave the company, they take a copy of the company’s client list so they can announce that they have formed a new company to compete with their old company.

3. The Current Employee That Makes A Dumb Mistake. They make a data copy on a thumb drive for legitimate purposes or are working at a Starbuck’s and go to the bathroom without shutting down their computer. They then lose the thumb drive or someone gets on the unwatched computer and a copy of customer data is released.

I am sure you can think of many more scenarios that are either innocent or made by a guilty party. As I said above, these types of data breaches account for the vast majority of data breaches, but don’t make the headlines like the big company breaches do.

I noted above that a data breach is an expensive headache for the company. The headache is the damage to your brand, the ire of your customers, and the steps you need to take to make things right.

Every state and the entire EU now have data breach laws on their books. If even one person whose data is breached (or suspected of having been breached) you will need to contact the Secretary of State’s Office where that person lives and explain that you had a breach and what you are doing about it. Usually, they will expect the company to put some sort of rectifying program in place, such as buying Life Lock for every person affected (not a cheap proposition.) Further, the Secretary of State’s Office will usually levy a fine upon the offending company. It is in the company’s best interest to have these conversations handled by an attorney adding even more costs to the effect of the data breach.

The cost estimates I have seen on data breaches range from two million to six million dollars. The two-million-dollar price tag was for a breach of under 10,000 names. Obviously, a data breach is nothing you ever want to deal with.

Here is a helpful hint: All data breach laws make an exception for encrypted data as long as the encryption key is not part of the breach – so never put the encryption code on a computer. In today’s world, encryption is often just a matter of a few simple keystrokes. Both Windows and Apple operating systems offer encryption to your entire hard drive right in your settings.

Now, you just need to encrypt, keep the key off the computer, and make sure those who have the ability to un-encrypt are trained and monitored for compliance. Even when I make a copy to a thumb drive on my PC the computer will ask if I want to encrypt? – To which I always say yes!

There are many more actions you can take to secure your data. Please feel free to contact me with any questions or comments you may have.