WHAT YOU NEED TO KNOW:
Ohio is taking a unique approach to addressing data breaches by offering businesses meeting certain requirements with a safe harbor against lawsuits following a data breach.
Specifically, the act provides an affirmative defense against tort actions brought under Ohio law or in Ohio courts alleging failure to implement reasonable information security controls resulting in a data breach to those entities that adopt certain cybersecurity frameworks.
The new Ohio Data Protection Act became effective in late 2018. The Act provides the safe harbor to businesses that create, maintain, and comply with written cybersecurity programs including administrative, technical, and physical safeguards for protecting personal information and reasonably conform to an industry-recognized cybersecurity framework such as:
- The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity;
- NIST Special Publication 800-171;
- NIST Special Publications 800-53 and 800-53a;
- The Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework; or
- The Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense.
In addition, an entity’s cybersecurity program will also be found to conform to an industry-recognized cybersecurity framework if the entity is subject to and conforms to the security requirements of the Health Insurance Portability and Accountability Act (HIPAA), Title V of the Gramm-Leach-Bliley Act, the Federal Information Security Modernization Act, or the Health Information Technology for Economic and Clinical Health Act. Covered entities subject to the payment card industry data security standard may also be eligible for safe harbor status.
WHAT SHOULD YOU DO?
Make sure your cybersecurity program is compliant. If you have questions about how your business can comply with the Ohio Data Protection Act, contact the author of this alert.