In November, 2018 Ohio’s Data Protection Act went into effect with the goal of incentivizing businesses that access, maintain, or process “Personal Information” to update their cyber security programs. The “carrot” if you will, comes in the form of immunity for any tort claims brought arising out of an alleged breach of a duty to implement reasonable information security controls.
Ohio’s Data Protection Act does this by requiring any entity that would seek protection under the Act to either create, maintain, or comply with a written cyber security program that conforms to one of the industry recognized standards or frameworks that are identified in the Act. The Act is codified at Ohio Revised Code §1354.01 through §1354.05. Section 1354.03 is the section that outlines what constitutes “reasonable conformance” to various “industry recognized cyber security frameworks” many of which are specifically tailored to the nature of the covered entity’s business. For example, among the qualifying industry recognized cyber security frameworks are the requirements of the “Health Insurance Portability and Accountability Act of 1996” for healthcare industry businesses, “Title V of the Gramm-Leach-Bliley Act of 1999”, for financial institutions and the “National Institute of Standards and Technology” framework for improving critical infrastructure cyber security for other businesses. The Act contemplates that each of these standards will evolve, and continues to provide coverage to any business that conforms to any revised frameworks not later than one (1) year after the publication date of any stated revisions. Further, the Act specifically provides that the “scale and scope” of a covered entities cyber security program will be evaluated in light of the: 1) size and complexity of the covered entity; 2) nature and scope of the activities of the covered entity; 3) the sensitivity of the information to be protected; 4) the cost and availability of tools to improve information security; and 5) the resources available to the covered entity.” O.R.C. §1354.02. In other words, the Act was expressly written to avoid trying to fashion a “one size fits all” cyber security requirement.
Under the Act, whether you are a Mom & Pop store front or a fortune 500 company, you are encouraged to invest in recognized and standardized cyber security protocols based upon the size, scope, and nature of your business. If you do so, the Act holds that you have a defense to any claims of negligence in the handling of protected personal information in the event of a data breach. Clearly, if there was ever an incentive to review your IT program, and particularly your cyber security protocols Ohio’s Data Protection Act provides good reason to move those efforts to the top of your 2019 list to make sure you are taking the necessary steps to reduce any potential liability exposure in the event of a data breach. If you have questions about this Act or how to protect personal data, please email Mike Sandner at firstname.lastname@example.org or call 937-223-1130.