USA - Ohio cybersecurity program that (1) contains administrative, technical and physical safeguards for the protection of personal information and that (2) reasonably conforms to an industry recognized cybersecurity framework.[1] Ohio’s DPA notes that the cybersecurity program shall be designed to protect the security of personal information, protect against anticipated threats to the security or integrity of the information, and protect against unauthorized access the personal information.[2] The DPA notes that the scale and scope of a cybersecurity program is appropriate if based on factors such as (1) the size and complexity of the covered entity, (2) the sensitivity of the information to be protected, (3) the nature and scope of the activities of the covered entities, and (4) the resources available to the covered entity.[3] “Industry recognized” cybersecurity frameworks to which a cybersecurity program may conform include: National Institute of Standards and Technology’s (NIST) framework for improving critical infrastructure cybersecurity; NIST Special Publication 800-171; NIST Special Publications 800-53 and 800-53a; The Federal Risk and Authorization Management Program’s (FedRAMP) Security Assessment Framework; The Center for Internet Security Critical Security Controls for Effective Cyber Defense; or
International Organization for Standardization / International Electrotechnical Commission’s 27000 Family – Information Security Management Systems[4] 5.4. New Data Protection Requirements Under OPPA Under OPPA, processors would be required to maintain “reasonable” administrative, technical, and physical safeguards to protect the security and confidential of personal data.[5] OPPA notes that safeguards [4] Ohio Rev. Code, 1354.03(A)(1) [5] Ohio Personal Privacy Act, Sub. H. B. No. 376, 134th General Assembly
[1] Ohio Rev. Code, 1354.02(A)(1)-(2) [2] Ohio Rev. Code, 1354.02(B)(1)-(3) [3] Ohio Rev. Code, 1354.02(C)(1)-(5)
https://www.mcdonaldhopkins.com/
Made with FlippingBook - PDF hosting