Ohio Data Protection Act Provides New Safe Harbor for Data Breaches

November 2018

In June 2018, the Ohio legislature passed Senate Bill 220, known as the Ohio Data Protection Act (the “Act”). The Act takes a new approach to cybersecurity in that it creates an affirmative defense for companies that suffer a data breach if they have a written cybersecurity program in place. According to the Act, it is “intended to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.” The Act took effect November 2, 2018. The following is a brief discussion of the Act.

Who Is Subject?

The applicability of the Act is broad in scope. It provides the affirmative defense to a “covered entity” for tort claims following a data breach. A covered entity is any business that “accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside [Ohio].” Personal information is an individual’s name combined with a social security number, driver’s license number or account number or credit or debit card number, with any required security code or password that permits access to that financial account. Restricted information is any information about an individual, other than personal information, that can identify an individual when combined with other information, such as personal information, and the breach of which is likely to result in a material risk of identity theft or fraud.

What Must a Business Do to Comply?

In order to utilize the affirmative defense, the covered entity must create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information, or personal information and restricted information, and that reasonably conforms to an industry recognized cybersecurity framework, such as CIS Critical Security Controls, FedRAMP, PCI Standards, the HIPAA Security Rule, the Safeguards Rule of the Gramm-Leach-Bliley Act and others.

The Act provides that the scale and scope of the cybersecurity program should be based on the size and complexity of the covered entity, the nature and scope of the entity’s activities, the sensitivity of the information, the cost and availability of tools to improve information security, and the resources available to the entity. The cybersecurity program must be designed to do the following:

  • Protect the security and confidentiality of the information;
  • Protect against any anticipated threats or hazards to the security or integrity of the information; and
  • Protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud.

Recently, the data protection requirements for businesses have been rapidly expanding, such as with the California Consumer Privacy Act of 2018 (discussed in September 2018 and October 2018 alerts) or the EU’s General Protection Regulation (GDPR) (discussed in a December 2017 alert), without giving businesses much to show for compliance, other than freedom from penalties and fines. Now, Ohio is giving businesses more: an affirmative defense.

The Act rewards and incentivizes compliance and strong cybersecurity programs with an affirmative defense for when things go wrong. If you would like assistance with complying with the Ohio Data Protection Act, feel free to contact one of our Cybersecurity & Data Privacy attorneys.

Firm Highlights
Diversity & Inclusion

Lewis Rice Member Ronald A. Norwood Serves on Missouri Bar’s Special Committee on Lawyers of Color to Establish Diversity, Inclusion Programs

More
Diversity & Inclusion

Fatima G. Khan Elected President of South Asian Bar Association of Metropolitan St. Louis

More
News

Meghan S. Largent and Lindsay S. C. Brinton Negotiate $700,000 Award to Cobb County, Georgia Landowners in Rails-to-Trails Case

More
News

Brian P. Pezza Gives Advice on Vaccination Acceptance in the Workforce in Society for Human Resource Management Article

More
News

Lindsay S. C. Brinton and Meghan S. Largent Negotiate $1.4 Million Settlement for Landowners along Legacy Trail

More
News

Jerina D. Phillips Offers COVID-19 Vaccination Advice for Employers in St. Louis Magazine Article

More
Client Alert

COVID-19 Rescue Plan Act Expands Paid Leave Availability but Does Not Revive Employer Mandates

More
Diversity & Inclusion

Law Firm ILN-telligence Podcast Hosts Ronald A. Norwood to Discuss Mentorship, Diversity & Inclusion in the Legal Industry, and the Importance of Equity for All

More
Client Alert

Federal Appellate Court Determines a Website Is Not a “Place of Public Accommodation” Under the ADA

More
Client Alert

Supreme Court Hands Down Unanimous Decision Limiting FTC’s Ability to Seek Monetary Relief

More
Client Alert

Have You Done Your Annual CCPA Housekeeping?

More
Client Alert

Public Access to Electronic Court Records in Missouri

More
Client Alert

New York State Regulator Discourages Ransomware Payments and Publishes New Cyber Insurance Risk Framework

More
Client Alert

Model COBRA Notices Under the American Rescue Plan Act

More
News

Jeremy P. Brummond’s Article on Waivers of Consequential Damages is Published in Construction Executive

More
News

Kansas City Office of Lewis Rice Names New Member

More
Client Alert

Temporary COBRA Changes Under the American Rescue Plan Act

More
Client Alert

CROWN Act Legislation on the Verge of Passage in St. Louis City & County

More
Diversity & Inclusion

Two Lewis Rice Members Selected for Leadership Council on Legal Diversity Programs

More
Client Alert

Virginia Passes Sweeping Data Privacy Legislation Similar to CCPA and GDPR

More