As more regulations are created aimed at protecting privacy, the courts will be left to determine what is reasonable. On September 1, 2018, Colorado’s new privacy legislation went into effect. The legislation applies to any organization that maintains, owns or licenses personally identifiable information (PII) of Colorado residents. The law requires written policies governing the disposal of paper and electronic records containing PII, covered persons and entities must take reasonable steps to protect PII, and requires detailed notice to consumers and in certain cases, the Attorney General, of data security breaches. Ohio took a different approach and is the first state to enact business-friendly, incentive-based data protection legislation that rewards companies that reasonably conform to at lease one major recognized cybersecurity framework. The company will be granted a liability shield in the event of litigation for some data breach claims.
Many companies will leverage other companies that conform to the major cybersecurity frameworks - companies like AWS and Azure - AND incorporate governing law provisions such as Ohio in contracts in order to take advantage of the liability shield. It’s important to understand the regulations that apply to your lines of business, and develop AND monitor a data security compliance program so you can take advantage of protections that are offered and reduce your risk by taking reasonable steps to protect data.
Written by Emily McNeeley, CIPP/US, Attorney, Intuitive Edge Team