Calling it “landmark data privacy legislation,” Ohio legislators have introduced a bill that “would establish data rights for Ohioans while requiring businesses to adhere to specific data standards.” House Bill 376, or the Ohio Personal Privacy Act (OPPA), was announced July 13 by State Representatives Rick Carfagna and Thomas Hall and Lt. Gov. Jon Husted. If the legislation passes, Ohio will join more than 20 other states enacting data privacy legislation and standards.
The Act “would primarily apply to businesses with $25 million or more in gross revenue in Ohio or businesses that control or process large amounts of data,” according to the Ohio House of Representatives’ press release. The bill includes a list of requirements for businesses, including “posting privacy notices and disclosing where data is being sold,” the release noted. There will be certain exemptions for businesses and industries with data privacy standards already in place in accordance with such regulations as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach Bliley Act requiring financial institutions to explain their information-sharing practices with consumers.
The OPPA offers additional incentives for all businesses. It would change laws and incentivize businesses to be proactive by providing for an “affirmative defense” against legal claims for businesses that develop and implement their own data privacy programs that meet the standards as set forth in the latest version of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (https://www.nist.gov/privacy-framework/privacy-framework).
The NIST framework, like other NIST frameworks, does not offer a third-party assurance program to standardize and oversee reporting. So the question remains: How will businesses demonstrate their “compliance” with the NIST framework and what evidence will be sufficient? And to what degree do we trust self-reporting? The lack of trustworthy and valid self-reporting of the NIST 171 guidelines under DFARS 252.204-7012 is essentially what prompted the U.S. Department of Defense’s Cybersecurity Maturity Model Certification.
Other “privacy frameworks,” such as ISO 27701, offer certification or third-party assurance, allowing businesses to demonstrate the effectiveness of their privacy standards, which is particularly useful should they need to take advantage of the affirmative action’s safe harbor provisions in the event of a breach. As well, the latest version of the American Institute of CPAs’ SOC 2 Trust Services Criteria includes “privacy” as a criterion for businesses and their auditors to report on and communicate an organization’s ability to meet privacy standards. However, it is unclear if any of these mechanisms will suffice to meet OPPA requirements, and to what extent an organization will have to demonstrate its compliance with the NIST Privacy program.
As we await clarity on these issues, one thing is for certain: State regulations are shifting and most businesses will need to implement and maintain a data privacy program. To what degree they will need to communicate assurances to stakeholders is unclear, but something you should be discussing with your advisors.