Ohio Data Protection Act Provides New Safe Harbor for Data Breaches

November 2018

In June 2018, the Ohio legislature passed Senate Bill 220, known as the Ohio Data Protection Act (the “Act”). The Act takes a new approach to cybersecurity in that it creates an affirmative defense for companies that suffer a data breach if they have a written cybersecurity program in place. According to the Act, it is “intended to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.” The Act took effect November 2, 2018. The following is a brief discussion of the Act.

Who Is Subject?

The applicability of the Act is broad in scope. It provides the affirmative defense to a “covered entity” for tort claims following a data breach. A covered entity is any business that “accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside [Ohio].” Personal information is an individual’s name combined with a social security number, driver’s license number or account number or credit or debit card number, with any required security code or password that permits access to that financial account. Restricted information is any information about an individual, other than personal information, that can identify an individual when combined with other information, such as personal information, and the breach of which is likely to result in a material risk of identity theft or fraud.

What Must a Business Do to Comply?

In order to utilize the affirmative defense, the covered entity must create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information, or personal information and restricted information, and that reasonably conforms to an industry recognized cybersecurity framework, such as CIS Critical Security Controls, FedRAMP, PCI Standards, the HIPAA Security Rule, the Safeguards Rule of the Gramm-Leach-Bliley Act and others.

The Act provides that the scale and scope of the cybersecurity program should be based on the size and complexity of the covered entity, the nature and scope of the entity’s activities, the sensitivity of the information, the cost and availability of tools to improve information security, and the resources available to the entity. The cybersecurity program must be designed to do the following:

  • Protect the security and confidentiality of the information;
  • Protect against any anticipated threats or hazards to the security or integrity of the information; and
  • Protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud.

Recently, the data protection requirements for businesses have been rapidly expanding, such as with the California Consumer Privacy Act of 2018 (discussed in September 2018 and October 2018 alerts) or the EU’s General Protection Regulation (GDPR) (discussed in a December 2017 alert), without giving businesses much to show for compliance, other than freedom from penalties and fines. Now, Ohio is giving businesses more: an affirmative defense.

The Act rewards and incentivizes compliance and strong cybersecurity programs with an affirmative defense for when things go wrong. If you would like assistance with complying with the Ohio Data Protection Act, feel free to contact one of our Cybersecurity & Data Privacy attorneys.