In recent years, high profile data breaches at major companies and government agencies have shown that cybersecurity is more than a private concern — it’s a matter of public safety. To combat widespread inadequacies across a number of industries, several states are implementing new laws designed to regulate businesses into using up-to-date cybersecurity best practices.
The Ohio Data Protection Act, or S.B. 220, is one such example of that push. Although S.B. 220 is a voluntary act, it’s existence should encourage auto and truck dealerships to upgrade their network and data storage to meet best practices.
Why? As part of S.B. 220, compliance with an approved framework creates a legal “safe harbor” against civil actions when a business is accused of failure to implement reasonable information security controls that resulted in a data breach.
What is the ODPA?
The Ohio Data Protection Act is part of CyberOhio, a larger cybersecurity initiative launched by Mike DeWine, Ohio’s Attorney General, to protect businesses and private citizens from unsafe network and data storage practices at businesses.
S.B. 220 provides protection against legal recourse to firms operating in Ohio that “reasonably conform” to one of eight frameworks developed by the National Institute of Standard and Technology (NIST).
Businesses can choose from the following frameworks to secure compliance under the act:
- NIST SP 800-171
- NIST SP 800-53 and 800-53(a)
- The Federal Risk and Authorization Management Program (FedRAMP)
- Center for Internet Security (CIS) Critical Security Controls
- The ISO 27000 Family
- The HIPAA Security Rule
- Gramm-Leach-Bliley Act
- The Federal Information Security Modernization Act (FISMA)
How to comply with the Ohio Data Protection Act
Auto and truck dealerships that wish to comply with S.B. 220 must do the following:
- Create and maintain a written cybersecurity program that conforms to one of the eight industry-recognized cybersecurity frameworks listed above. This program must cover administrative, technical, and physical safeguards as they relate to personal and/or restricted information.
- Design a program that protects the confidentiality of personal and/or restricted information in the event of a cybersecurity incident.
- Establish a cybersecurity protocol that anticipates threats and hazards to personal and/or restricted information.
- Implement safeguards against unauthorized access to prevent identity theft and/or fraud.
In addition, compliance thresholds in S.B. 220 are scaled to accommodate factors such as business size and complexity, so smaller businesses can meet the threshold of compliance without an excessive burden.
What are the goals of the ODPA?
The overarching goal of S.B. 220 is to incentivize businesses of all sizes to invest in protecting the security and confidentiality of the information they have. In addition, the guidelines are meant to promote ongoing cybersecurity as a way to protect against anticipated threats and hazards.
By reducing unauthorized access to information, the act will hopefully limit the material risk of identity theft and fraud for private citizens who are currently left exposed by inconsistent standards across industries (and the carelessness that comes with those lax protections).
What the Ohio Data Protection Act is:
- Voluntary — S.B. 220 gives businesses protection from lawsuits stemming from cybersecurity breaches, but compliance is not a requirement in order to do business in Ohio.
- Secure — S.B. 220 uses industry-recommended cybersecurity frameworks to improve overall protections on customer data and networks.
- Proactive — Auto and truck dealerships that keep their cybersecurity posture up to date with NIST standards dramatically reduce their likelihood of an incident.
What it is not:
- Legally binding — While you may face action in civil court, unlike California’s CCPA there’s no financial penalty for not adhering to an S.B. 220-approved framework.
- Punitive — Adherence to S.B. 220 provides protection from tort action in the event of a cyberattack, but it’s not designed to enable increased liability for businesses that don’t meet best practices.
- Comprehensive — Businesses aren’t required to adhere to cybersecurity best practices under S.B. 220, so much of the impetus for maintaining due diligence remains on individual dealerships. As best practices evolve to meet new challenges, so will the need to update your network protections.
Cybersecurity concerns for auto and truck dealerships
Your average dealership collects valuable data from hundreds of customers. However, unlike the healthcare and finance industries, there’s almost no government oversight on auto and truck retailers to ensure that their networks and data storage methods adhere to best practices. In fact, many dealerships have outdated cybersecurity software that leaves their network wide open for an attack.
As a result, the industry is increasingly being targeted by cybercriminals. Data breaches and ransomware attacks are on the rise. Auto dealerships spend millions returning their systems to working order after something as simple as a phishing email scam.
Legal frameworks like Ohio’s S.B. 220 offer businesses a great launching pad, but ongoing due diligence is necessary for anyone storing customer data in this increasingly dangerous digital world.