Andy Green of Varonis looks at developments in the California and Ohio state legislatures which take a step toward establishing data security standards: the California Consumer Privacy Act, and Ohio’s Data Protection Act, which he says provides an interesting “nudge” to get companies to become compliant.
California’s AB-1035 – which was not passed by the legislature – attempts to amend the CCPA to replace the boilerplate phrase “reasonable security” found in many state data breach laws with a definition: the NIST Framework for Improving Critical Infrastructure Cybersecurity and NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
The Ohio law – passed last year – gives a legal “safe harbor” to companies facing potential lawsuits: if they follow a prescribed list of standards and frameworks – such as NIST SP 800-171 – they can use this as a defense in their trials.
