Every day, there seems to be a new headline about another organization whose data security has been breached. It’s happening to big and small entities — even ones you wouldn’t expect. As cyberattacks become more and more sophisticated, the need to have a strong data protection plan in place becomes even more necessary.
For years, lawmakers have struggled to implement effective procedures that actually change the way organizations approach data security planning. Ohio is changing the game. The state recently passed the Ohio Data Protection Act (DPA), which is the first law that accomplishes the goal of offering organizations strategic incentives to comply with recommended cybersecurity practices. This act offers safe harbor against data breach claims for companies who implement, maintain, and comply with one of several approved programs, designed to protect against data breaches.
In the event of a breach, a company that has complied with the DPA can assert DPA compliance as a defense to any claim that may come up. This could have monumental positive effects for that company, as data breaches are often the root of sunken reputations, breaks in client trust, lawsuits, and heavy financial stress.
How does a business qualify for the DPA?
In order to receive the safe harbor promised to businesses that comply, a business must implement a written cybersecurity program that adheres to the following guidelines:
- Protects the security and confidentiality of personal information
- Protects against potential threats or hazards to the security or integrity of personal information
- Protects against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or fraud
The DPA also provides that the scale and scope of the business’s cybersecurity protection program should correspond with the following factors:
- The company’s size and complexity
- The nature and scope of its activities
- The sensitivity of the personal information maintained by the company
- The cost and availability of tools to improve information security
- The resources available to the company
How does this relate to HIPAA compliance?
One of the requirements to qualify for the DPA is that the organization’s cybersecurity program “reasonably conforms” to one of the following frameworks:
- National Institute of Standards and Technology’s (NIST) Cybersecurity Framework
- NIST Special Publication 800-171 or Special Publications 800-53 and 800-53a
- Federal Risk and Authorization Management Program’s (FedRAMP) Security Assessment Framework
- Center for Internet Security’s Critical Security Controls for Effective Cyber Defense
- International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) 27000 Family — Information Security Management Systems Standards
If the business in question accepts payment in the form of cards, then in order to qualify for the DPA, they must also comply with the Payment Card Industry’s Data Security Standards (PCI-DSS), in addition to one of the generally applicable frameworks mentioned above.
Similarly, there are many companies that are subject to certain state or federally-mandated sector-specific laws. These companies may also rely on the affirmative defense if they can prove that their organization conforms with additional security requirements, like those identified in the Health Insurance Portability and Accountability Act (HIPAA), Title V of the Gramm-Leach-Bliley Act (GLBA), the Federal Information Security Modernization Act (FISMA), or the Health Information Technology for Economic and Clinical Health Act (HITECH).
So, if your organization is one that is required to adhere to sector-specific laws, HIPAA compliance may be part of DPA compliance as well.
How can Total HIPAA help?
Here at Total HIPAA, data safety and security is of utmost importance to us. We are a team of professionals with the knowledge and expertise to guide you toward a plan that will not only help you protect your business’s data, but its reputation as well. With the help of Total HIPAA, you can minimize your risk for a data breach and better understand what you need to do to stay up to date with all relevant procedures.
If you would like to know more about our online HIPAA training or our customized compliance solution, HIPAA Prime, email info@totalhipaa.com today. Or, get started here.
