Ohio Data Protection Act

Published:
Oct. 12th, 2018

On Sept. 21st, 2018, Ohio Governor John Kasich signed off on “Senate Bill 220” which has been aptly nick-named the Ohio Data Protection Act. Nationally, this is the first bill of its kind to motivate certain businesses to implement a number of specific cyber-security controls by rewarding them with a legal and affirmative defense.

Affirmative Defense, in this case, is a group of facts other than those alleged by the plaintiff or prosecutor that are used to protect business owners should the business be sued due to a cyber infiltration. If the defendant is able to prove that they fall under compliance of these facts, they overcome or mitigate the legal consequences of their otherwise lawful conduct.

Eligible businesses can rely on their congruency to specific frameworks of cyber security as an Affirmative Defense against tort claims in data breach litigation. As such, the state of Ohio is granting legal incentive to said businesses to comply with these cyber security programs.

Organizations that want to take advantage of this incentive must implement a documented cyber security program that was made to protect the security and confidentiality of a small to large company’s environment/environments. To ensure the company has been granted an Affirmative Defense, it must be able to prove that they “Reasonably Conform” to one of the options for cyber security programs.

Listed are the options for which cyber security frameworks are accepted. Businesses must implement at least one and reasonably conform.

National Institute of Standards and Technology’s (NIST) Cybersecurity Framework
NIST special publication 800-171, or 800-53 and 800-53a
Federal Risk and Authorization Management Program’s Security Assessment Framework
Center for Internet Security’s Critical Security Controls for Effective Cyber Defense
International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) 27000 Family – Information Security Management Systems Standards.