A New Year and a New Approach to State Data Breach Legislation

Published: February 11, 2019


Ohio is taking a unique approach to addressing data breaches by offering businesses meeting certain requirements with a safe harbor against lawsuits following a data breach.

Specifically, the act provides an affirmative defense against tort actions brought under Ohio law or in Ohio courts alleging failure to implement reasonable information security controls resulting in a data breach to those entities that adopt certain cybersecurity frameworks.


The new Ohio Data Protection Act became effective in late 2018. The Act provides the safe harbor to businesses that create, maintain, and comply with written cybersecurity programs including administrative, technical, and physical safeguards for protecting personal information and reasonably conform to an industry-recognized cybersecurity framework such as:

In addition, an entity’s cybersecurity program will also be found to conform to an industry-recognized cybersecurity framework if the entity is subject to and conforms to the security requirements of the Health Insurance Portability and Accountability Act (HIPAA), Title V of the Gramm-Leach-Bliley Act, the Federal Information Security Modernization Act, or the Health Information Technology for Economic and Clinical Health Act. Covered entities subject to the payment card industry data security standard may also be eligible for safe harbor status.


Make sure your cybersecurity program is compliant. If you have questions about how your business can comply with the Ohio Data Protection Act, contact the author of this alert.

Stay informed. Sign up for our mailing lists.

Stay Informed

All of our news and resources are shared electronically. Select your preferred list(s) below.(Required)