Elections Aside, Pennsylvania and Ohio Provide Insight for National Duties of Care in Cybersecurity
2018 witnessed significant change in cybersecurity. That change constituted a measurable shift in legal and regulatory focus from actions entities must take after a cybersecurity incident to those an organization must undertake before such an incident. Multiple states enacted statutes with requirements that organizations design and implement written cybersecurity programs to protect the confidentiality, integrity, and availability of personal data. California’s Consumer Privacy Act, which was signed into law on June 28, 2018, received a great deal of attention. The New York DFS cyber regulations, while dating back to 2017, gained traction as organizations are now required to have senior personnel certify compliance with the regulations and, as of March 1, 2019, to conduct due diligence on the cybersecurity safeguards of their third-party vendors. Multiple states, including South Carolina, Michigan, and Ohio, enacted the NAIC Model Law on Data Security.
In February 2018, the Securities and Exchange Commission issued guidance emphasizing that public companies implement effective and appropriate controls to enable accurate and timely disclosures of cyber risks. In October, the SEC also released a study warning that the failure to implement effective controls to mitigate the risk of successful phishing attacks could violate federal securities laws. In the waning days of 2018, the Department of Health and Human services issued a detailed set of best practices for healthcare providers to combat common and significant cyber risks.
This shift in focus places greater emphasis on the duty of care to prevent and mitigate the effects of a successful cyberattack. Yet, organizations, courts, and litigants alike have been left to determine that duty of care. While the DFS cyber regulations and NAIC Model Law addressed the question indirectly by requiring data security programs to be based upon risk assessments, the approach still leaves important questions unanswered. For instance, what level of cybersecurity is enough, and how does an organization’s size or financial resources factor into the measure of adequate cybersecurity practices?
In FTC v. Wyndham Worldwide Corporation, the United States Court of Appeals for the Third Circuit held that the Federal Trade Commission was not required to explain “with ascertainable certainty” what cybersecurity practices are adequate. Although the decision was intended to provide flexibility in creating appropriate cybersecurity practices, it left many organizations wanting further guidance. Given that a recent survey conducted by Accenture reports that over two-thirds of the world’s business leaders are not confident that their companies are using collected data in a “highly responsible way,” this is a problem.
Recent developments in Pennsylvania and Ohio offer some guidance as to companies’ responsibility and duty of care when collecting data. In Dittman v. University of Pittsburgh Medical Center, the Pennsylvania Supreme Court established a common law duty of reasonable care for companies that collect personal data. In Ohio, the enactment of the Data Protection Act provides concrete measures of an adequate cybersecurity program with a flexible, evaluative test. These developments foreshadow the direction of cyber law by providing organizations and courts with guidance on what to do.
Dittman v. University of Pittsburgh Medical Center
The Pennsylvania Supreme Court’s decision in Dittman establishes that a company that collects data has a duty of reasonable care to protect that data. Because the Court relied upon longstanding principles of tort law, the decision extends beyond its employer-employee relationship context and applies to circumstances where an organization affirmatively collects personal data.
In Dittman, former and current employees of the University of Pittsburgh Medical Center (UPMC) commenced a class action lawsuit after UPMC sustained a data breach compromising employee personal information. Plaintiffs asserted that UPMC failed to implement adequate security measures to protect the data, including early detection, proper encryption, and authentication protocols. Applying the tort principle that a person who undertakes an affirmative act must exercise reasonable care, the Court concluded that UPMC’s collection of employee data was an affirmative act to trigger such a duty. Although wrongdoing of a third party acts as a superseding event to absolve the affirmative actor of liability; the Court concluded that this principle did not apply in the case before it. Instead, because UPMC collected plaintiffs’ personal data, it knew or should have known that a third party might try to hack into its alleged inadequately secured network to steal the data. Thus, “the criminal acts of third parties in executing the data breach do not alleviate UPMC of its duty to protect [plaintiffs’] personal and financial information from that breach.”
While most high courts have wrestled with arguments of speculative versus concrete injury for Article III standing in the context of data breach litigation, Dittman is the first high court decision to recognize a common law duty for data security. It is a decision that also reflects changing perceptions. The Dittman trial and appellate courts had refused to recognize a common law duty, expressing concerns of increased litigation and the absence of ascertainable standards of reasonable care. The Pennsylvania Supreme Court inherently rejected those concerns, characterizing the case as the “application of an existing duty to a novel factual scenario.” 
Where there is a duty, there must be a duty of care. However, the Dittman Court did not address the specifics of what that duty of care may look like. What is “reasonable care” in the context of data security? This is no small matter. Yet, the Ohio Data Protection Act provides a framework to answer that question.
The Ohio Data Protection Act of 2018
Effective November 2, 2018, Ohio’s Data Protection Act provides a legal safe harbor from liability for the failure to maintain an adequate data security program where an organization maintains and complies with “a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework.”  The statute identifies specific cybersecurity frameworks that would enable an organization to qualify for the safe harbor against tort liability. Those frameworks are NIST’s the “framework for improving critical infrastructure cybersecurity” (i.e., the NIST Cybersecurity Framework), NIST’s 800-53 and 800-171 data security standards, FedRAMP, the CIS Critical Security Controls for Effective Cyber Defense, and the ISO 2700 family.
These frameworks provides tangible and detailed guidance and controls upon which an organization may design and implement a cybersecurity program. The statute provides companies with several blueprints for cybersecurity programs written in a manner that a Chief Information Officer or Chief Information Security Officer would understand. In the alternative, organizations may choose to have their programs “reasonably” conform with requirements of the Health Insurance Portability and Accountability Act (HIPAA) or Health Information Technology for Economic and Clinical Health (HI-TECH) Act, the Gramm-Leach-Bliley Act (GLBA), or the Federal Information Security Modernization Act (FISMA). Organizations also may look to model a data security program after the payment card industry data security standard (PCI DSS).
The Data Protection Act also takes the next analytical step by defining the meaning of “reasonably conform” in a five-factor test to assess whether an organization’s written cybersecurity program qualifies the organization for the safe harbor. Under the statute, the scale and scope of the organization’s data security program are appropriately based on the following factors:
- The size and complexity of the covered entity;
- The nature and scope of the activities of the covered entity;
- The sensitivity of the information to be protected;
- The cost and availability of tools to improve information security and reduce vulnerabilities; and
- The resources available to the covered entity.
Thus, the statute provides courts with a codified test to evaluate whether an organization’s cybersecurity measures were adequate. It allows courts to judge the efforts of a small company differently than a large one in terms of resources and the availability and costs of tools to improve security. It is a test that examines the information at hand, as some data is more sensitive than other data. It is a test that implicitly recognizes a fundamental tenet of cybersecurity: that a one-size-fits-all approach cannot work. It also provides organizations important guidance when implementing their cybersecurity programs. It is a test that courts may look to outside of Ohio and under other statutory schemes, including the CCPA, to assess the reasonableness of actions undertaken by a company prior to a cybersecurity incident and compliance with those regulatory schemes.
The Dittman decision and enactment of the Ohio Data Protection Act are independent developments; and yet they fit lockstep. Article III standing issues aside, Dittman answers the question of whether companies that collect data have a duty of care to protect that data. The Ohio Data Protection Act provides a menu of flexible frameworks and a five-factor test by which to measure that duty and compliance with it. Both incentivize companies to implement strong and appropriate cybersecurity programs and reduce what the Center for Internet Security (CIS) has referred to as the “Fog of More” in its Critical Security Controls for Effective Cyber Defense. Both fit squarely with evolving perceptions of cybersecurity and cyber risk. Both provide a strong roadmap for organizations and courts alike to follow.
©2019 by the American Bar Association. Reprinted with permission. All rights reserved. This information or any or portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.
 F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236, 255–56 (3d Cir. 2015) (“We thus conclude that Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required by § 45(a).”).
 Roseman, “Companies Are Collecting More Data on Employees, and Not At All Confident They Are Doing It Responsibly,” available at https://www.cnbc.com/2019/01/23/the-next-big-negotiation-with-a-boss-access-to-your- personal-data.html.
 Dittman v. UPMC, 196 A.3d 1036, 1038 (Pa. 2018).
 Id. at 1038–39.
 Id. at 1046-47.
 Id. at 1047–48. It is important to note that Dittman was decided at the dismissal stage, where courts are required to treat the allegations in a complaint as true.
 Dittman v. UPMC, No. GD-14-003285, 2015 WL 13779479 (Pa. Com. Pl. May 28, 2015), aff’d, 2017 PA Super 8, 154 A.3d 318 (2017), vacated, 196 A.3d 1036 (Pa. 2018), aff’d, 154 A.3d 318, 324 (Pa. Super. Ct. 2017), rev’d, 196 A.3d 1036 (Pa. 2018).
 Dittman, 196 A.3d at 1046.
 O.R.C. Ann. §§ 1354.01-05.
 O.R.C. Ann. § 13540.2(A), (D). The program must be specifically designed to (1) protect the security and confidentiality of information, (2) protect against anticipated threats and hazards to data security, and (3) protect against the unauthorized access or acquisition of information likely to result in material risk to the data subjects. O.R.C. Ann. § 13540.2(B).
 O.R.C. Ann. § 13540.3(A). Subsequent to the enactment of the Data Protection Act, Ohio also enacted the NAIC Model Law on Data Security. O.R.C. Ann. § 3965.01-.11. Compliance with an information security program under the model law also qualifies for the safe harbor. O.R.C. Ann. §§ 3965.03(J), 3965.08.
 O.R.C. Ann. § 13540.3(B), (C).
 O.R.C. Ann. § 1354.02(C). The NAIC Model Law, as enacted by Ohio, considers similar factors. O.R.C. Ann. § 3965.02(A).
 CIS, Critical Security Controls for Effective Cyber Defense (Version 6), Introduction at 1.
 Of note, both the ABA Cybersecurity Handbook and the ABA Formal Opinion 483 recognize standards for “reasonable” cybersecurity safeguards should be flexible and fact-specific, not safeguard-specific. See ABA Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack,” at 9; ABA Cybersecurity Handbook:” A Resources for Attorneys, Law Firms, and Business Professionals 73 (2d ed. 2018).