Protecting Your Business from Data Breach Liability

A nightmare for your clients can also become a nightmare for your business. If your business suffers a data breach and your client’s confidential information is stolen. You can be liable for any damages your client sustains as a result of your failure to implement reasonable information security controls.

Luckily, there is a new Ohio law that aims to help those businesses that become a victim of a data breach. The Ohio Data Protection Act becomes effective November 2, 2018. The law creates an affirmative defense to any allegation the business failed to safeguard their client’s data. The law specifies conditions a business must meet in order to qualify for the affirmative defense.

First, your business must qualify as a “covered entity.” A covered entity is any business or nonprofit entity, including a financial institution, that accesses, maintains, communicates, or handles personal information or restricted information. The law requires the covered entity to create, maintain, and comply with a written cybersecurity program that contains safeguards for the protection of a client’s personal information. Personal information includes a client’s name, social security number, driver’s license number, and account numbers. The nature of the real estate profession necessitates the collection of a client’s personal financial information. As such under the law, a real estate brokerage may constitute both a covered entity that holds a client’s personal information.

To avail itself of the law’s protections, the brokerage must maintain a written cybersecurity program. The cybersecurity program must contain safeguards to protect a client’s personal information. Specifically, the brokerage’s program must protect the security and confidentiality of a client’s information. As well as protect the brokerage against anticipated threats or hazards to the security of the information and against unauthorized access to a client’s confidential information. A brokerage’s cyber security program must be appropriate for the brokerage’s size and complexity, the nature, and scope of the brokerage’s activities, and the sensitivity of the information to be protected. The law identifies industry recognized cybersecurity frameworks that are eligible for the law’s protections.

If a brokerage implements an approved cybersecurity program, the law permits an affirmative defense to any client lawsuit against the brokerage alleging the brokerage failed to protect a client’s personal information.

Sponsors of the law state the law is intended to be an incentive to encourage businesses to achieve a higher level of cybersecurity and protect personal information.