Columbus Chamber of Commerce issued the following announcement on Aug. 13.
thinkCSC responds to the passage of Ohio’s Data Protection Act, with new services to help organizations obtain safe harbor if they experience a data breach
thinkCSC is pleased to announce the addition of several new services to help organizations who wish to comply with the voluntary cybersecurity framework. Now that Senate Bill 220, now known as the Ohio Data Protection Act, has been signed into law, organizations of every size have an opportunity to limit liability in the case of a data breach. To meet the requirements for safe harbor, the organization must demonstrate compliance with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The NIST Cybersecurity Framework is a voluntary framework that provides organizations with standards, guidelines, and best practices to better manage cybersecurity-related risk.
The Ohio Data Protection Act was enacted in order to provide protection to Ohio organizations who invest in mitigating cybersecurity risks. Organizations already meeting the compliance requirements of HIPAA, GLBA and/or FISMA would also be protected. The legislation has had strong support from Ohio Attorney General Mike DeWine as part of his CyberOhio initiative. Upon the passing of the bill, he released the following statement:
“I congratulate Senator Hackett and Senator Bacon for working with their Senate and House colleagues to pass this important bill and send it to the governor’s desk and commend the governor for signing it into law. By encouraging Ohio business owners to take appropriate and proven steps to enhance their cybersecurity, Ohioans can be confident that their personal information will be better protected. Companies have even more incentive to invest in strong cyber security controls.”
The Ohio Data Protection Act states that if an organization implements and maintains a cybersecurity program that complies with one of the established cybersecurity frameworks (NIST, HIPAA, GLBA, etc.), then that organization “is entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information.”
According to the Act, to qualify for safe harbor, the organization must:
1. Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework; or
2. Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of both personal information and restricted information and that reasonably conforms to an industry recognized cybersecurity framework.
In order to facilitate the effort for organizations to meet the minimum standards set forth in the Act, thinkCSC has announced the following services, required to comply with NIST guidelines, available to all private and public businesses, non-profits, and K-12 educational institutions:
Cybersecurity Gap Analysis
Security Awareness Program Implementation
Security Awareness Training Program
Incident Response Policy
Internal & External Combined Penetration Testing
Policy Review & Development
Tom Hastings, President of Columbus-based thinkCSC, commented, “Complying with these cybersecurity protocols not only provides organizations with safe harbor and limits their liability should a breach occur, but it also gives them the ability to reassure their own customers and clients that they take their responsibility seriously when it comes to protecting data.” thinkCSC is one of the few Ohio IT managed service providers assisting organizations in achieving this level of compliance to achieve safe harbor.
thinkCSC encourages every organization to take the steps necessary to take advantage of Ohio’s Data Protection Act. To learn more about how your organization can begin the process, contact thinkCSC now.
Original source can be found here.