In our society today, our personal information is sought by nefarious people around the world. When successful, hackers can steal identities and unlawfully take our money, assets and reputations.
The struggle for us as individuals is amplified for business owners. Cyber criminals love to secure multiple people’s personal information in a single attack, which can be done by hacking into the customer database of a single business.
Until now, the huge number of separate businesses in our country has decreased the chances that any particular small business will be targeted. In other words, most of our small businesses have been safe from cyber-attack, because there are usually “larger fish to fry” by hackers, who typically seek out the most personal information per attack.
However, hiding among the masses and “hoping” to avoid a cyber-attack is not a reasonable long-term policy for small businesses. All customers expect and deserve the confidence to know that the businesses with whom customers share personal information will do the businesses’ best to protect that information.
The struggle for most small businesses has been, “How much protection from data theft does this particular business owe to its customers?” This is a question that I have asked myself many times as an attorney who must possess my clients’ personal information in order to serve my clients.
I have taken the extra-protective approach. In the last year, I quadrupled my monthly investment in computer hardware and software protections/improvements. I have purchased what I understand to be the world’s literally most comprehensive insurance policy for data theft, in which I invest many thousands of dollars a year in premiums. Nonetheless, there is always more that can be done.
Obviously, most businesses cannot invest endless amounts of money on data protection without extraordinary increases in the cost of goods and services that the businesses provide to their customers. Fortunately, “How much data protection is enough?” is a question Ohio law will soon answer.
Ohio’s Data Protection Act takes effect on Nov. 1. The Data Protection Act sets forth criteria and certain steps that each small business can take to create “safe harbors,” which is the legal standard for how much must be done for that business to be “reasonable” under the law and safe from being sued into oblivion for data theft resulting from a cyber-attack.
A business that will have the safe harbor protections must have a cyber security program/policy that the business follows religiously. The cyber security program must “reasonably conform” with the requirements of the example “cyber security plans” of at least one of six major international or national business advisory groups. And, “reasonably conform” is defined by the business’s size, complexity, character of activities and available resources coupled with the sensitivity of the information being protected.
However, if the business is regulated under various state or federal laws (such as lending institutions or credit bureaus) or is a healthcare-related entity that is required to satisfy HIPAA, this requirement can be satisfied by complete compliance with the applicable state or federal laws.
Lee R. Schroeder is an Ohio licensed attorney at Schroeder Law LLC in Putnam County. He limits his practice to business, real estate, estate planning and agriculture issues in northwest Ohio. He can be reached at Lee@LeeSchroeder.com or at 419-659-2058. This article is not intended to serve as legal advice, and specific advice should be sought from the licensed attorney of your choice based upon the specific facts and circumstances that you face.