Related Posts
Subscribe via Email
Subscribe to our blog to get insights sent directly to your inbox.
The Ohio Data Protection Act was passed in August of 2018 and went into effect as of November 2018. What's unique about this data protection law is that it's unlike recently passed privacy legislation recently seen in California and Colorado.
What's also unique about this Ohio Data Protection Act is that it does not rely on punitive measures as a means to enforcement. The Ohio Data Protection Act offers businesses the ability to self select secure behaviors in a form of voluntary actions in order to receive what's considered a safe harbor. Before we talk about safe harbor, let's chat about who is in scope. The Ohio Data Protection Act applies broadly to any businesses that accesses, maintains, communicates, or processes personal information or restricted information. Restricted information is generally considered any information that is unencrypted about an individual that can be used to distinguish or trace an individual's identity--think of restricted information as a secondary form information that on its own would seem anonymous but if you gather enough of it you could trace this back to a named individual.
What's also unique about this law is the ability for businesses to qualify what's considered safe harbor. Safe harbor requires that a business create maintain and comply with a written security program that reasonably conforms to one of the industry's several recognized cybersecurity frameworks. Some of those include:
Most importantly to leverage safe harbor provisions the cybersecurity program must:
Now the purpose of the Ohio Data Protection Act is to provide covered entities with an affirmative defense in data breach claims based on tort law. By invoking the affirmative defense covered entities may refute liability in certain lawsuits that claim a business's failure to implement reasonable information security measures resulted in a data breach.
The Safe Harbor has several limitations. For business to leverage the affirmative defense in a lawsuit the claim must be brought under Ohio law or in Ohio Courts, it must allege that failure to implement a reasonable information security controls resulted in a data breach, and it must arise under tort law.
As you think about designing your security program and you should think about choosing which security framework is relevant to you. Your cyber security program under Ohio's Data Protection Law must be designed in such a way where you can invoke safe harbor.
Now a key point in the law is that it requires reasonable compliance with one of the frameworks that I listed earlier. The Ohio Data Protection Act also allows covered entities to tailor and scale and scope their cybersecurity program according to their own business needs. In selecting the appropriate security program businesses or entities should also consider the size and complexity of their business. Considerations should also be given to actual sensitivity of information, the cost and availability of tools and resources in order to operated the aforementioned frameworks.
Some other states that have done this in the past include Massachusetts and New York and have required businesses that handle personal information to maintain a written information security program or WISP. However what's unique about Ohio's Data Protection Act is that it's voluntary in its approach and it is different from the other programs that tend drive behaviors with fines versus incentives.
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.
Subscribe to our blog to get insights sent directly to your inbox.