Ohio Enacts Unique Safe Harbor to Reduce Data Breach Litigation Risks
On November 2, 2018, Ohio became the most recent state to update its data breach laws by enacting the Ohio Data Protection Act.
While other states have taken a punitive approach to cybersecurity data breaches, Ohio’s law provides a safe harbor for businesses that implement and maintain an effective cybersecurity program. Now, if a business that complies with the Act’s safe harbor is sued by individuals affected by a data breach, the business can raise its compliance as an affirmative defense in a tort action. However, the safe harbor may be of limited value because it does not apply to breach of contract claims or statutory violations. Nevertheless, this law takes a novel approach to addressing cybersecurity by offering an incentive, rather than repercussions, for businesses.
The Safe Harbor
Under the law, businesses must “create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information and restricted information.” To meet these standards, a business must create a program that can:
(1) Protect the security and confidentiality of personal information;
(2) Protect against any anticipated threats or hazards to the security or integrity of the personal information; and
(3) Protect against unauthorized access to the acquisition of personal information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.
The law acknowledges the reality that companies of different sizes and in different industries will have different cybersecurity programs by noting several factors to determine whether a program is effective. Those factors include the size and complexity of the business, the nature and scope of the activities of the business, the sensitivity of the information to be protected, the cost and availability of tools to improve information security and reduce vulnerabilities, and the resources available to the business.
While the law is flexible, it also requires that a business “reasonably conform” to one of several industry-recognized or federally mandated cybersecurity frameworks to fall within the safe harbor. The frameworks include NIST, FedRAMP, CIS, or ISO 27000 for most businesses; HIPAA, Gramm-Leach-Bliley, FISMA, or HITECH for certain regulated entities; and PCI DSS in conjunction with one of the previous frameworks if the business stores, processes, or transmits payment card data. The statute additionally states that when a framework is finalized or updated, a business will have one year to reasonably conform to the revised framework.
Companies that do business in Ohio should consider whether they currently fall within the new Ohio safe harbor. However, Ohio’s new law also highlights an important trend that applies to all companies: adopting a cybsersecurity program that complies with industry standards is generally a positive step to reduce data breach litigation risks. If you would like to discuss your company’s cybersecurity plan, please contact a Foster Swift cybersecurity attorney.
Taylor helps businesses and business owners solve and prevent problems as a member of Foster Swift's Business and Tax practice group. He handles business formation and transactions, tax controversies, employee benefits, and technology related issues.View All Posts by Author ›
- Tax-Exempt Organizations
- Electronic Health Records
- Intellectual Property
- Fraud & Abuse
- Entity Selection, Organization & Planning
- Domain Name Registration
- Social Media
- Radio Broadcasts
- Trade Secrets
- Employee Benefits
- Personal Publicity Rights
- Did you Know?
- IT Contracts
- Cloud Computing
- Digital Assets
- Venture Capital/Funding