The Ohio Data Protection Act was passed in August of 2018 and went into effect as of November 2018. What's unique about this data protection law is that it's unlike recently passed privacy legislation recently seen in California and Colorado.
1. It's not a punitive law
What's also unique about this Ohio Data Protection Act is that it does not rely on punitive measures as a means to enforcement. The Ohio Data Protection Act offers businesses the ability to self select secure behaviors in a form of voluntary actions in order to receive what's considered a safe harbor. Before we talk about safe harbor, let's chat about who is in scope. The Ohio Data Protection Act applies broadly to any businesses that accesses, maintains, communicates, or processes personal information or restricted information. Restricted information is generally considered any information that is unencrypted about an individual that can be used to distinguish or trace an individual's identity--think of restricted information as a secondary form information that on its own would seem anonymous but if you gather enough of it you could trace this back to a named individual.
2. Qualifying for safe harbor requires you align with a framework.
What's also unique about this law is the ability for businesses to qualify what's considered safe harbor. Safe harbor requires that a business create maintain and comply with a written security program that reasonably conforms to one of the industry's several recognized cybersecurity frameworks. Some of those include:
Most importantly to leverage safe harbor provisions the cybersecurity program must:
be designed to protect the security and confidentiality of personal information,
protect against any anticipated threats or hazards to the security or integrity of personal information,
protect against unauthorized access to an acquisition of the information that is likely to result in the material risk of identity theft or other fraud.
3. Offers limitation of breach liability
Now the purpose of the Ohio Data Protection Act is to provide covered entities with an affirmative defense in data breach claims based on tort law. By invoking the affirmative defense covered entities may refute liability in certain lawsuits that claim a business's failure to implement reasonable information security measures resulted in a data breach.
The Safe Harbor has several limitations. For business to leverage the affirmative defense in a lawsuit the claim must be brought under Ohio law or in Ohio Courts, it must allege that failure to implement a reasonable information security controls resulted in a data breach, and it must arise under tort law.
As you think about designing your security program and you should think about choosing which security framework is relevant to you. Your cyber security program under Ohio's Data Protection Law must be designed in such a way where you can invoke safe harbor.
4. Offers ability to flex your program to match business needs
Now a key point in the law is that it requires reasonable compliance with one of the frameworks that I listed earlier. The Ohio Data Protection Act also allows covered entities to tailor and scale and scope their cybersecurity program according to their own business needs. In selecting the appropriate security program businesses or entities should also consider the size and complexity of their business. Considerations should also be given to actual sensitivity of information, the cost and availability of tools and resources in order to operated the aforementioned frameworks.
Some other states that have done this in the past include Massachusetts and New York and have required businesses that handle personal information to maintain a written information security program or WISP. However what's unique about Ohio's Data Protection Act is that it's voluntary in its approach and it is different from the other programs that tend drive behaviors with fines versus incentives.