Ohio, Colorado Add to State Data Protection Laws

Financial Services Law

While the California Consumer Privacy Act (CCPA) and subsequent amendments have dominated privacy news lately, some states are enacting data protection legislation that could impact financial institutions and businesses.

In Ohio, the legislature established a safe harbor against tort claims for businesses that are the subject of a data breach if they had implemented certain data security standards, while in Colorado, an amendment to state law requires reasonable data security practices and enhanced breach notification requirements.

What happened

With all eyes focused on the new CCPA—and the amendments already passed—other states have imposed data protection requirements on businesses with little fanfare.

Ohio Senate Bill 220, enacted into law on Aug. 3, 2018, establishes an affirmative defense against tort claims that allege a failure to implement reasonable data security controls by a business that suffers a data breach. The affirmative defense is available if the business had implemented a written cybersecurity program that “reasonably conforms” to certain governmental or industry cybersecurity frameworks or laws for the protection of personal information.

The affirmative defense is available to entities that access, maintain, communicate or process “personal information” or “restricted information” via systems, networks or services located inside or outside of the state in any tort action brought in an Ohio court or under Ohio law and alleging that the failure to implement reasonable information security controls resulted in a data breach.

To qualify for the safe harbor, a business must have implemented, maintained and complied with a written cybersecurity program that contains “administrative, technical and physical safeguards” for the protection of personal information and/or restricted information.

The program must reasonably conform to one of a set of designated cybersecurity standards or laws. The set includes ISO 27000, the NIST Framework and FedRAMP, and for regulated entities, the Gramm-Leach-Bliley Act (GLBA) and HIPAA. Businesses that accept payment cards must also comply with the industry standard, PCI DSS.

The security program must be designed to protect the security and confidentiality of the information, protect against anticipated threats or hazards to security or integrity, and protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud. Also, the scale and scope of the data security program must be appropriate in light of the size and complexity of the business, the nature and scope of the business’s activities, the sensitivity of the information, the cost and availability of tools to improve security and reduce vulnerabilities, and the resources available to the covered entity.

The legislation does not apply to contract claims and does not provide a private right of action. It is intended to provide an incentive for businesses to adopt one of the recommended security standards.

The new law goes into effect on Nov. 1, 2018.

Meanwhile, under a new data protection measure that amends Colorado’s data breach notification statute, as of Sept. 1, any organization that maintains, owns or licenses personally identifiable information (PII)—broadly defined to include biometric data, a Social Security number or a password, among other identifiers—must implement and maintain reasonable security procedures and practices that are “appropriate to the nature of the [PII] and the nature and size of the business and its operations.”

Under the new law, an entity that discloses personal information to a third-party service provider must require the service provider to implement and maintain reasonable security procedures appropriate to the type of information and reasonably designed to protect it from unauthorized access or use.

Pursuant to House Bill 18-1128, covered entities must also develop a written policy for the destruction of data containing PII, whether in paper or electronic form.

The law also now requires notice to affected individuals within 30 days if the business determines that a security breach occurred that resulted in, or is likely to result in, the misuse of personal information. Where more than 500 records are at issue, the Colorado attorney general must be notified.

To read Ohio’s S.B. 220, click here.

To read Colorado’s H.B. 18-1128, click here.

Why it matters

The new laws add to the already complicated patchwork of laws relating to state privacy and data security, including the game-changing CCPA and the first state regulation of data brokers enacted earlier this year in Vermont. The new Ohio measure is the first to provide an affirmative defense for failure to maintain “reasonable security,” a claim prevalent in tort actions, and thus may offer valuable protection for businesses suffering a data breach that are in compliance with a law, regulation or industry standard governing security. The Colorado law follows a pattern common in recent years of imposing a requirement of reasonable security and shortening the required data breach notice period.