Ohio Data Protection Act Provides New Safe Harbor for Data Breaches

November 2018

In June 2018, the Ohio legislature passed Senate Bill 220, known as the Ohio Data Protection Act (the “Act”). The Act takes a new approach to cybersecurity in that it creates an affirmative defense for companies that suffer a data breach if they have a written cybersecurity program in place. According to the Act, it is “intended to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.” The Act took effect November 2, 2018. The following is a brief discussion of the Act.

Who Is Subject?

The applicability of the Act is broad in scope. It provides the affirmative defense to a “covered entity” for tort claims following a data breach. A covered entity is any business that “accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside [Ohio].” Personal information is an individual’s name combined with a social security number, driver’s license number or account number or credit or debit card number, with any required security code or password that permits access to that financial account. Restricted information is any information about an individual, other than personal information, that can identify an individual when combined with other information, such as personal information, and the breach of which is likely to result in a material risk of identity theft or fraud.

What Must a Business Do to Comply?

In order to utilize the affirmative defense, the covered entity must create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information, or personal information and restricted information, and that reasonably conforms to an industry recognized cybersecurity framework, such as CIS Critical Security Controls, FedRAMP, PCI Standards, the HIPAA Security Rule, the Safeguards Rule of the Gramm-Leach-Bliley Act and others.

The Act provides that the scale and scope of the cybersecurity program should be based on the size and complexity of the covered entity, the nature and scope of the entity’s activities, the sensitivity of the information, the cost and availability of tools to improve information security, and the resources available to the entity. The cybersecurity program must be designed to do the following:

  • Protect the security and confidentiality of the information;
  • Protect against any anticipated threats or hazards to the security or integrity of the information; and
  • Protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud.

Recently, the data protection requirements for businesses have been rapidly expanding, such as with the California Consumer Privacy Act of 2018 (discussed in September 2018 and October 2018 alerts) or the EU’s General Protection Regulation (GDPR) (discussed in a December 2017 alert), without giving businesses much to show for compliance, other than freedom from penalties and fines. Now, Ohio is giving businesses more: an affirmative defense.

The Act rewards and incentivizes compliance and strong cybersecurity programs with an affirmative defense for when things go wrong. If you would like assistance with complying with the Ohio Data Protection Act, feel free to contact one of our Cybersecurity & Data Privacy attorneys.

Firm Highlights
News

Lewis Rice Recognized as Top M&A Firm by BTI Consulting Group

More
News

Lewis Rice Wins Nearly $500,000 in Compensation for Sarasota Landowners

More
News

Neal F. Perryman Named to Missouri’s POWER List in Employment Law by Missouri Lawyers Media

More
Client Alert

Supreme Court Limits Ability to Compel Access to Private Property Without Compensation

More
Diversity & Inclusion

Golf Foundation of Missouri Awards First Larry L. Deskins, Sr. Scholarship

More
News

David W. Sweeney Represents Advantes Group in $7.2 Million Apartment Project

More
News

Lewis Rice Wins $1.5 Million in Compensation for Covington Landowners

More
News

Lauren R. Carey Creates New Blog for Social Media Influencers

More
News

John C. Bodnar Named BTI M&A Client Service All-Star

More
News

Michael R. Thiessen Recognized as Pro Bono Spotlight by KCMBF for August

More
News

61 Lewis Rice Attorneys Named Best Lawyers for 2022, 16 Named Ones to Watch

More
Client Alert

Missouri Now Requires Employers to Provide Leave and Accommodations for Victims of Domestic and Sexual Violence

More
News

Michael D. Mulligan Publishes Article in ACTEC Law Journal Comparing Sales to an Intentionally Defective Irrevocable Trust and a to Beneficiary Intentionally Defective Irrevocable Trust

More
Client Alert

Property Owners Can Push the Issue Under Illinois Mechanic’s Lien Law

More
Client Alert

OSHA’s New Guidance Regarding Indoor Mask Wearing, COVID-19 Vaccination Mandates, Regular Testing of Unvaccinated Workers, and More

More
News

Matthew J. Haas Offers Commentary for Inside P&C Article on Business Interruption Insurance and COVID-19

More
Client Alert

FTC Adds Teeth to the ‘Made in USA’ Rule

More
Client Alert

FTC Reverses Course on Treatment of Debt Payoff Under HSR Act

More
News

Brian P. Pezza Quoted in SHRM Articles on Employee Vaccination Status Disclosure and Employer Vaccination Policies

More
News

Four Lewis Rice Attorneys Named 2022 “Lawyer of the Year” by Best Lawyers

More