Second cybersecurity bill may be needed in Ohio to protect against other breaches

The Ohio Personal Privacy Act introduced last week designed to protect Ohioans would not have prevented the cyberattack against the Butler County Sheriff’s dispatch center.

But Rep. Thomas Hall, R-Madison Twp., said while House Bill 376 doesn’t address the December attack on the dispatch center, there should be “another bill in regards to just that.”

That attack, which impacted the county’s computer-aided dispatch (CAD) system, came from overseas, said Butler County Sheriff Richard K. Jones. The sheriff’s office insurance company conducted the investigation.

“All we were told was it was from a foreign country,” said the sheriff. “We believe it was from Russia.”

The attack against the Sheriff’s Office highlights the importance of what House Bill 376 would do for private citizens in terms of cybersecurity.

“A person’s individual data is more exposed now more than ever,” said Lt. Gov. Jon Husted, who announced the bill on Tuesday with its joint sponsors, Hall and Rep. Rick Carfagna, R-Genoa Twp. “We continue to research as consumers online, use online services. Our digital exposure is only growing.”

This bill establishes what lawmakers refer to as “data rights” for Ohioans. It requires businesses ― primarily those with $25 million or more in gross revenue in Ohio, or businesses that control or process large amounts of data ― to follow specific data standards.

The bill, among other things, would also:

  • encourage businesses to adopt the National Institute of Standards and Technology Privacy Framework as a standard privacy policy.
  • outline obligations for businesses to follow, such as posting privacy notices and disclosing where data is being sold.
  • give the Ohio Attorney General exclusive authority to enforce the Ohio Privacy Protection Act, and no private right of action would exist. Complaints of alleged violations would be filed with the AG’s office.

The number of data breaches and exposures in the United States has increased 41 percent since 2015, according to a 2020 Data Breach Report authored by the Identity Theft Resource Center.

And though the number of breaches and exposures have declined since the record-setting year in 2017, they’re on the rise this year.

Credit: Alexis Larsen

Credit: Alexis Larsen

Through June, nearly 900 data breaches were publicly reported in the United States, impacting nearly 119 million people, according to the ITRC report. Breaches in the second quarter this year increased 38 percent from the first quarter, and if that rate continues they’ll exceed the nearly 1,700 in 2017. (This data does not include the 1 billion people exposed in data leaks from Facebook and LinkedIn).

James Lee, chief operating officer for ITRC, previously told the Journal-News they’ve known that downward trend would stop, but “we didn’t really expect to see was such as dramatic reversal that will take us from a five-year low to what looks to be an all-time high by the end of the year in just a matter of months.”

The Ohio Personal Privacy Act has not yet been assigned a committee, but Hall said there have been internal discussions about it.

More than 20 states have introduced similar data privacy legislation, and Husted said this bill has been in development for the past two years. California and Virginia have enacted data privacy legislation.

“Data and personal information, f misused, mishandled or inadequately protected, could potentially result in identity theft, financial fraud and other problems which in turn puts the burden on consumers to sort out and in many instances pay for with both their time and treasure,” Husted said.