What Is the Ohio Data Protection Act?
On August 3, 2018, Ohio Governor John Kasich signed the Ohio Data Protection Act (“the Act”) into law. The Act, which went into effect on November 2, 2018, provides affirmative litigation defense to Ohio companies that have suffered a security incident or data breach involving personal information or restricted information. In short, the Act is intended to be an incentive to encourage Ohio companies to voluntarily implement a robust cybersecurity program.
Call to Action – How Companies Can Become Eligible For Legal Defense
Companies are entitled to affirmative defense under the Act if several conditions are met. First, a company must implement a written cybersecurity program that “reasonably conforms to an industry-recognized cybersecurity framework.” The cybersecurity program must outline measures that (1) protect the security and confidentiality of personal information; (2) protect against any anticipated threats or hazards to the security or integrity of the personal information; and (3) protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud.
The Act recognizes the following as industry-accepted cybersecurity frameworks:
• National Institute of Standards and Technology (NIST);
• Federal Risk and Authorization Management Program (FedRAMP);
• The Center for Internet Security Critical Security controls for effective cyber defense;
• The security requirements of HIPAA and HITECH;
• Title V of the Gramm-Leach-Bliley Act of 1999; and
• The payment card industry (PCI) data security standard.
Secondly, the size and scope of the cybersecurity program must be appropriate for the organization based upon five factors: (1) the size and complexity of the organization; (2) the nature and scope of the activities of the covered entity; (3) the sensitivity of the information to be protected; (4) the cost and availability of tools to improve information security and reduce vulnerabilities; and (5) the resources availability to the organization.
Data Protection Limitations
As of today, the United States does not have any centralized, formal legislation at the federal level regarding data protection and privacy. While Ohio is the first state in the country to implement a law that provides a data breach safe harbor for companies, there are limitations to the coverage this Data Protection Act’s “legal safe harbor” provides. For example, the Act does not provide companies with blanket immunity from a data breach lawsuit. The entity would still have the burden of validating that its cybersecurity program complied with the law’s requirements. Furthermore, the safe harbor does not establish a minimum cybersecurity standard nor does it impose liability upon companies that do not comply with the Act.
Looking Forward
No matter how robust a company’s security program may be, data breaches and other types of cyberattacks are an inevitable part of doing business. Adoption of the guidance outlined in the Data Protection Act could set companies ahead of the curve and provide for a valuable defense in subsequent litigations.
Questions? Contact [email protected]
