Media Center


Ohio Passes “Data Protection Act” to Encourage Businesses to Proactively Use Higher Cybersecurity Frameworks

January 29, 2019

On Aug. 3, 2018, Ohio passed Senate Bill No. 220, the “Data Protection Act.” The Bill went into effect on Nov. 2, 2018. While many states have implemented punitive laws, Ohio’s new Act is designed to incentivize Ohio businesses to voluntarily implement and maintain a cybersecurity infrastructure. By utilizing one of the suggested cybersecurity frameworks, a business can claim an affirmative defense to allegations that a data incident was caused by failure to adopt reasonable cybersecurity protocols. Effectively, it provides a “legal safe harbor” that is contingent upon businesses being in substantial compliance with one of the supported cybersecurity frameworks. The adoption of the standards is voluntary.

The Act is not intended to create a minimum cybersecurity standard that must be achieved, or impose liability upon businesses that do not obtain or maintain practices in compliance with the Act. The Act encourages businesses to proactively use higher cybersecurity frameworks rather than mandating the use.

Bill No. 220 supports the following cybersecurity frameworks:

  1. National Institute of Standards and Technology (NIST) 800-171 and 800-53 and 800-53a
  2. Health Insurance Protection Portability and Accountability Act (HIPAA) or Health Information Technology for Economic and clinical Health Act (HITECH)
  3. Federal Risk and Authorization Management Program (FedRAMP)
  4. Gramm-Leach-Bliley Act (GLBA)
  5. Center for Internet Security (CIS) Controls
  6. Federal Security Information Security Modernization Act (FISMA)
  7. International Organization for Standardization/ International Electrotechnical Commission (ISO_ 27000 Family)
  8. Payment Card Industry Data Security Standard (PCI DSS)

Businesses trying to comply with Data Protection Act need to adopt one of the supported cybersecurity frameworks and understand it is not “one-size-fits-all.” The scale and scope of the cybersecurity program is appropriate if it is based on all of the following factors:

  • Size and complexity of the business
  • Nature and scope of the activities of the business
  • The sensitivity of the information in the businesses’ care, custody and control. For instance, personal health information (PHI), personally identifiable information (PII) and payment card information (PCI)
  • Cost and availability of tools to improve information security and reduce vulnerabilities
  • Resources available to the business.

Its important businesses can demonstrate, implement and maintain cybersecurity measures. Additionally, businesses should consult with an attorney that specializes in cyber liability.

Lacy Rex
Oswald Companies
Cyber Strategic Leader

Sources and additional information can be found at:

Senate Bill No. 220, the “Data Protection Act”


Note: This communication is for informational purposes only. Although every reasonable effort is made to present current and accurate information, Oswald makes no guarantees of any kind and cannot be held liable for any outdated or incorrect information. View our communications policy.