The state of Ohio recently enacted legislation which creates an affirmative defense for organizations involved in a data breach. “All” the organization has to do is prove that it has in place a written cybersecurity program that reasonably complies with industry standards. This is a great example of using legislation to create a carrot, rather than just a stick, when it comes to cybersecurity. Of course, there is still a lot of wiggle room in the legislation. For example:
- What qualifies as a written cybersecurity program? This may sound like a silly question, but just how detailed must this cybersecurity program be?
- How often must the program be updated?
- What happens if the organization deviates from the plan?
- What “industry standards” are acceptable?
- Is it acceptable to only be in compliance with a single industry standard (e.g., PCI)?
- What is “reasonable” compliance?
Fathom Cyber has create a unique approach to cybersecurity and data privacy that is based on leading standards, like the NIST Cybersecurity Framework and the Center for Internet Security’s to 20 controls, which means your organization can feel confident it will meet Ohio’s requirements (and those of other states and countries). Using our approach, your organization will create a robust, comprehensive, well-documented cybersecurity program that continuously improves and responds to changes in the organization’s business priorities, risks, threat landscape, and legal and regulatory requirements. The cybersecurity plan also documents deviations from the industry standards, to help demonstrate reasonable compliance.
Contact Fathom Cyber to learn more about how our innovative approach to cybersecurity can help your organization enhance its cybersecurity and data privacy protections while limiting its liability. Fathom Cyber: make cybersecurity and data privacy make sense.