We recently posted on the Ohio Attorney General’s CyberOhio initiative and forecasted that the Ohio Attorney General might be the first of many Attorneys General to join forces with industry in the struggle to protect consumer information. Ohio Deputy General Counsel Craig Rapp, Director of CyberOhio, contacted our blog not only to agree with our prediction, but also to shed more light on what is transpiring in his state. In short, CyberOhio seeks to incentivize – rather than demand – adoption and usage of cybersecurity best practices. The future of CyberOhio appears to be focused on three critical areas of cybersecurity: 1) education; 2) legislation; and 3) threat information sharing.
Education: The Ohio AGO is using the CyberOhio platform to reach out to businesses, provide a crash course in cybersecurity, and advise businesses on what they can do to protect consumer information. Through a presentation designed to be a “Cybersecurity 101” class, Director Rapp hopes to provide Ohio’s businesses with the basic tools necessary to prevent the most common and easily preventable forms of data breaches. Indeed, Ohio businesses have shown a thirst for this information and regularly contact the Ohio AGO seeking this instruction. Through responding to inquiries from businesses and leveraging connections with local and small business chambers, Director Rapp hopes more and more businesses receive this training so that businesses in every corner of Ohio have some baseline level of cyber-threat awareness and defenses.
Legislation: The ongoing cybersecurity conversation between the Ohio AGO and Ohio businesses is proof that both parties are on the same side in this conflict. However, the Ohio AGO recognizes that expanding use of and compliance with cybersecurity best practices requires more than mere conversation. It requires law. Nevertheless, the AGO is supporting and helping draft legislation that, in many ways, is industry friendly. The legislation envisions a safe harbor for businesses employing the cybersecurity standards articulated in the bill. It is a “carrot” rather than “stick” in seeking to incentivize heightened cybersecurity and business growth. As such, the legislation perfectly reflects the collaborative spirit of the CyberOhio initiative.
Information sharing: Lastly, Director Rapp anticipated that businesses will increasingly work among themselves to cultivate and implement effective cybersecurity practices, notwithstanding government mandates to do so. He pointed to the Northeast Ohio CyberConsortium (“NEOCC”) as a model of a cybersecurity-information sharing cohort that, hopefully, can be replicated elsewhere in the state, and nation. NEOCC is a group of businesses in Northeast Ohio formed to address and mitigate escalating cyber threats across various industries. Its goals include: 1) Sharing timely and actionable information on cyberattacks; 2) Discussing strategies and tactics to combat cyber-attacks and collectively mitigating threats; 3) Identifying best practices and lessons learned across industries; 4) Crowd sourcing cyber-defense intelligence from other prominent members of the community; and 5) Cultivating the next generation of talent and developing new policies that will facilitate a continuous risk mitigation process that may be implemented internally by Consortium members. Supporting organizations like NEOCC is one of the ways industry can stay ahead (or, at least, closely on the heels) of ever-changing and evolving cyber threats. Recognizing this reality, the Ohio AGO has actually partnered with NEOCC to roll out a statewide information share.
The Security, Privacy and the Law Blog thanks Director Rapp for taking the time to speak with us and apprise us of the Ohio AGO’s cybersecurity strategies and goals. As always, we welcome any information on innovative cybersecurity initiatives from across the nation.