What You Need to Know About the Ohio Data Protection Act

What Is the Ohio Data Protection Act?

On August 3, 2018, Ohio Governor John Kasich signed the Ohio Data Protection Act (“the Act”) into law. The Act, which went into effect on November 2, 2018, provides affirmative litigation defense to Ohio  companies that have suffered a security incident or data breach involving personal information or restricted information. In short, the Act is intended to be an incentive to encourage Ohio companies to voluntarily implement a robust cybersecurity program. 

Call to Action - How Companies Can Become Eligible For Legal Defense

Companies are entitled to affirmative defense under the Act if several conditions are met. First, a company must implement a written cybersecurity program that “reasonably conforms to an industry-recognized cybersecurity framework.” The cybersecurity program must outline measures that (1) protect the security and confidentiality of personal information; (2) protect against any anticipated threats or hazards to the security or integrity of the personal information; and (3) protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud.

The Act recognizes the following as industry-accepted cybersecurity frameworks: 

•    National Institute of Standards and Technology (NIST);

•    Federal Risk and Authorization Management Program (FedRAMP);

•    The Center for Internet Security Critical Security controls for effective cyber defense;

•    The security requirements of HIPAA and HITECH;

•    Title V of the Gramm-Leach-Bliley Act of 1999; and

•    The payment card industry (PCI) data security standard.

 

Secondly, the size and scope of the cybersecurity program must be appropriate for the organization based upon five factors: (1) the size and complexity of the organization; (2) the nature and scope of the activities of the covered entity; (3) the sensitivity of the information to be protected; (4) the cost and availability of tools to improve information security and reduce vulnerabilities; and (5) the resources availability to the organization.

Data Protection Limitations

As of today, the United States does not have any centralized, formal legislation at the federal level regarding data protection and privacy. While Ohio is the first state in the country to implement a law that provides a data breach safe harbor for companies, there are limitations to the coverage this Data Protection Act’s “legal safe harbor” provides.  For example, the Act does not provide companies with blanket immunity from a data breach lawsuit.  The entity would still have the burden of validating that its cybersecurity program complied with the law’s requirements. Furthermore, the safe harbor does not establish a minimum cybersecurity standard nor does it impose liability upon companies that do not comply with the Act.

Looking Forward

No matter how robust a company’s security program may be, data breaches and other types of cyberattacks are an inevitable part of doing business. Adoption of the guidance outlined in the Data Protection Act could set companies ahead of the curve and provide for a valuable defense in subsequent litigations.

Questions?  Contact [email protected]

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
The Impact of the Baltimore Key Bridge Disaster on Supply Chain
IPE 101 – Assessing Management IPE Controls and Report Risks
IPE 101 – Differentiating Populations and Key Reports
IPE 101 – Defining and Understanding Information Produced by Entity
SEC Adopts Final Climate Disclosure Rules
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×