How Microsoft can help you on your compliance journey for the Ohio Data Protection ActApril 25, 2019
Today’s post was written by Alonzo Barber, Senior Attorney – Corporate, External, and Legal Affairs
Ohio recently enacted the Ohio Data Protection Act (“ODPA”), the first legislation of its kind in the United States. The law provides a comprehensive legal incentive for cybersecurity investment and may be a game changer to the technology and legal landscape for Ohio businesses. The Ohio State and Cleveland Marshall Schools of Law published a white paper analysis of the ODPA. The whitepaper specifically calls out the important role that cloud service providers, like Microsoft, can play to enable businesses to avail themselves of the benefits of the ODPA through a shared responsibility model for protecting data.
This response to the white paper provides an overview of Microsoft’s commitment to compliance, privacy and security of our customer’s data. Also included below are highlights to several tools and resources that Information Technology Professionals can use to build and manage a robust cyber security framework within their organization to allow them to take full advantage of the protections under the ODPA.
What is the ODPA
The Ohio Data Protection Act is unique among state laws seeking to improve data security. Instead of setting minimum cybersecurity standards or imposing new penalties, the ODPA provides an incentive for businesses to create, maintain, and comply with a cybersecurity program that conforms to industry best practices. The law does this by providing an affirmative defense for tort claims arising out of a data breach, brought in an Ohio court or under Ohio law, if that business can show reasonable conformity to one of the ten cyber security frameworks enumerated in the legislation.
At a basic level, a company must create, maintain, and demonstrate compliance with a written cybersecurity program that includes administrative, technical, and physical safeguards to protect data. ODPA offers a company flexibility to select appropriate safeguards by taking into account several factors, including the resources available to the company and the risk level associated with the protected information the company maintains in its systems.
Moving your data to the Microsoft Cloud moves your company closer to compliance with ODPA
When businesses trust their enterprise data to cloud service providers, the business and the service provider share responsibility to protect the data. The business never fully relinquishes ultimate responsibility for the security and protection of the data. However, when an organization moves workloads to the cloud, the business can take advantage of the service provider’s compliance profile to satisfy many of the compliance obligations required on the ODPA. Microsoft has a compliance profile that meets or exceeds hundreds of global security and data protection standards and regulations, including all of the security frameworks listed in ODPA.
Microsoft assists your company with managing your compliance program
Under the ODPA, Ohio businesses must demonstrate adherence to an appropriate data security program within their organization that reasonably confirms with the stated security frameworks set forth in the Act. Microsoft offers several tools and resources to assist our customers in managing internal controls for protecting their data that our customers can use to demonstrate they adhere to a data security program.
Microsoft Trust Center: https://www.microsoft.com/en-us/trustcenter
The Microsoft Trust Center provides a holistic view into how Microsoft addresses privacy, security and compliance across all of its cloud products and services. The Trust Center is also the repository for various tools and resources to educate consumers on how Microsoft instills trust in our cloud.
Service Trust Portal: https://servicetrust.microsoft.com/
The Microsoft Service Trust Portal provides customers with a variety of content, tools, third-party audit reports, and other resources about Microsoft security, privacy and compliance practices. Microsoft makes available independent third-party audit reports of our online services, and information about how they can help your organization maintain and track compliance with standards, laws, and regulations.
Compliance Manager: https://servicetrust.microsoft.com/ComplianceManager
With the free Microsoft Compliance Manager tool, compliance and Information Technology Professionals are able to interactively track the various controls for a specific regulation or security framework and identify which controls Microsoft’s cloud satisfies along with those controls that will be managed by the customer. Compliance Manager also offers templates for establishing and documenting internal compliance processes. Customers can also perform their own security risk assessment via Compliance Manager and benchmark results against other businesses.
Enterprise Mobility and Security website: https://www.microsoft.com/en-us/enterprise-mobility-security
Microsoft Enterprise Mobility and Security (EMS) is an intelligent mobility management and security platform. It helps protect and secure your organization and empowers your employees to work in new and flexible ways. This service also provides a single view into the controls you will use to manage the spectrum of security, including threat management, data governance, and search and investigation. EMS increases the security features of Windows 10 and Office 365 and extends them to your entire environment including third-party investments.
 NIST Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF); NIST Special Publication 800-171; NIST Special Publications 800-53 and 800-53a; FedRAMP Security Assessment Framework (FedRAMP SAF); Center for Internet Security’s “Critical Security Controls for Effective Cyber Defense” (CIS Controls); ISO/IEC 27000 Family – Information Security Management Systems (ISO 27000 Family); Health Insurance Portability and Accountability Ace security requirements (HIPAA); Gramm-Leach-Bliley Act Title V (GLBA); Federal Information Security Modernization Act of 2014 (FISMA); and Health Information Technology for Economic and Clinical Health Act (HITECH).