Ohio Looks to Strengthens Data Security via New Privacy Terms for Contractors

Date September 17, 2024
Article Authors

In March 2024, the State of Ohio took a significant step toward bolstering data security by releasing comprehensive Data Security and Privacy Terms. These new terms are designed to outline and enforce the responsibilities of contractors working with the state, ensuring that all proposed solutions—whether cloud-based, on-premises, or hybrid—meet stringent security and privacy standards. This move underscores Ohio’s commitment to protecting sensitive state data amid increasing cyber threats.

The newly released terms cover a wide range of environments and scenarios. Contractors must adhere to the guidelines whether they are working in cloud environments (such as Software as a Service, Platform as a Service, or Infrastructure as a Service), on-premises setups, or hybrid configurations. This comprehensive approach ensures that no matter where or how contractors operate, they are held to the same high standards of data security.

Key issues addressed by the new terms:

• Alignment with national standards: Contractors are required to maintain security in accordance with the National Institute of Standards and Technology (NIST) Special Publication 800-53. This publication, which provides a catalog of security and privacy controls for federal information systems and organizations, sets a robust framework that contractors must follow. Ohio has specified that all solutions must operate at the moderate level baseline as defined by the current version of NIST 800-53, ensuring a high level of security across the board.

• Rigorous annual audits: To ensure ongoing compliance with the terms, contractors must undergo annual audits of their services. The audits must meet the American Institute of Certified Public Accountants (AICPA) Statements on Standards for Attestation Engagements (SSAE) No. 18, Service Organization Control (SOC) 1 Type 2, and SOC 2 Type 2 standards. The results of the audits must be provided to the state within 30 days of receipt, and any identified issues must be promptly addressed by the contractor at no cost to the state.

• Comprehensive information security programs: Contractors are also required to establish and maintain an Information Security Program (ISP). This program must include a combination of policies, procedures, technical and organizational safeguards, and training programs designed to protect state data from unauthorized access, loss, destruction, alteration, or disclosure. By mandating such comprehensive ISPs, Ohio aims to create a proactive approach to data security among its contractors.

• Data residency and integrity: All state data at rest must reside within the contiguous United States and be stored in at least two geographically distinct data centers. The term intends to provide a safeguard against localized disasters and ensure data availability and integrity. The requirement extends to all contractor locations, ensuring a consistent approach to data handling and storage.

• Vigilant source code management: To further enhance security, contractors must conduct thorough scans of all source code for vulnerabilities. These scans must be performed both before and after any changes are made to the source code. Any identified vulnerabilities must be promptly remediated, and the state must be provided with patches at no additional cost. Contractors are also required to follow best practices for application code review and adhere to the most current version of the Open Web Application Security Project (OWASP) top 10.

• Swift response to security incidents: In the event of a security incident, contractors are responsible for a swift and comprehensive response, including containment, eradication, and recovery efforts. They must report any security incidents or unauthorized disclosures of state data to the state within 24 hours and provide follow-up reports until the incident is fully resolved. This rapid response requirement is designed to ensure that any potential damage can be minimized and addressed promptly.

• State-initiated audits: In addition to annual audits, the state reserves the right to conduct its own Security and Data Protection Audits at any time. These audits can include thorough reviews of contractor controls, security and privacy functions, data storage and encryption methods, and backup and restoration processes. The state may engage third-party contractors to perform these audits, ensuring an independent and objective assessment of the contractor’s security posture.

With the release of these new Data Security and Privacy Terms, Ohio is setting a high standard for data protection and security. By clearly defining the responsibilities of contractors and establishing stringent requirements for data handling, security incident response, and ongoing auditing, the state aims to safeguard sensitive information and maintain public trust.

To ensure your organization is prepared to meet Ohio’s new data security standards, it’s crucial to stay informed and proactive. Reach out to HBK Risk Advisory Services today for a consultation on how these new terms could impact your current contracts and future opportunities. Our experts can help you navigate these regulations, implement necessary safeguards, and ensure your compliance with Ohio’s stringent requirements.

Speak to one of our professionals about your organizational needs

"*" indicates required fields