Goering Center news: Ohio’s new data protection act

By R. David Weber, Esq.

Recent high-profile cybersecurity breaches at some of the world’s largest companies, such as Equifax, Facebook and Marriott International, have highlighted the dangers posed by cyberbreaches to businesses and their customers. These mega-breaches have led to negative publicity, consumer backlash and class-action lawsuits totaling in the billions of dollars. The market has responded to this growing threat by spawning a cottage industry of data protection consultants and identity theft detection, protection and insurance products. Government is also racing to catch up with hackers by, until now, primarily passing laws that punish businesses for failing to adequately protect customer data. In late 2018, however, Ohio’s legislature took a different approach by passing a first-of-its-kind law that provides businesses incentives for bolstering cybersecurity.

The Ohio Data Protection Act (ODPA) became effective on Nov. 2, 2018. It provides sole proprietors, associations, for-profit business entities and non-profit business entities a safe harbor against legal claims resulting from data breaches. Compliance with the ODPA is completely voluntary. Businesses face no requirement to comply; however, those that do are rewarded with increased protection from lawsuits in the event that sensitive data is compromised.

For those businesses that choose to comply, the ODPA provides flexibility. To be protected, businesses must “create, maintain and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to” one of five industry-recognized cybersecurity frameworks:

1. The Center for Internet Security’s Critical Security Controls
2. The Federal Risk and Authorization Management Program
3. The International Organization for Standardization/International Electrotechnical Commission’s 27000 Family - Information Security Management Systems
4. The National Institute of Standards and Technology (“NIST”) Cybersecurity Framework; or
5. NIST Special Publication 800-171, 800-53, or 800-53(a) (Ohio Revised Code § 1354.02; 1354.03)

In addition, businesses may also claim safe harbor protection if they maintain a written cybersecurity program as required by the ODPA and are regulated by and comply with certain other Ohio and/or federal privacy frameworks, including:

1. The Federal Information Security Modernization Act of 2014
2. The Health Insurance Portability and Accountability Act of 1996
3. Health Information Technology for Economic and Clinical Health Act
4. The Gramm-Leach-Bliley Act of 1999.

Finally, if a business processes payment cards, it may comply with the Payment Card Industry Data Security Standard to qualify for the safe harbor.

The major benefit to compliant businesses is a new affirmative defense to legal claims that flow from cybersecurity breaches. In the event of a data breach resulting in litigation, ODPA-compliant businesses can assert ODPA compliance as an affirmative defense to any claim resulting from such data breach, potentially saving businesses from the costs of court judgments and prolonged litigation. This allows businesses to use an established good practice — having a credible, written cybersecurity policy — as a shield against cyberbreach claims.

While legislation in other states has focused on punishing businesses that fail to protect customer data, the ODPA is the first state-level legislation that incentivizes businesses to bolster data security. Compliance is optional, however, businesses large and small would be well-served to consider its benefits. Those benefits include greater protection for sensitive customer information and, if a cyberbreach were to occur, an affirmative defense to potential legal claims.

R. David Weber is an attorney with Cors & Bassett, a Goering Center member organization specializing in business, corporate and transactional matters. Reach Dave at rdw@corsbassett.com or 513-852-8218.