On Aug. 3, 2018, Ohio passed Senate Bill No. 220, the “Data Protection Act.” The Bill went into effect on Nov. 2, 2018. While many states have implemented punitive laws, Ohio’s new Act is designed to incentivize Ohio businesses to voluntarily implement and maintain a cybersecurity infrastructure. By utilizing one of the suggested cybersecurity frameworks, a business can claim an affirmative defense to allegations that a data incident was caused by failure to adopt reasonable cybersecurity protocols. Effectively, it provides a “legal safe harbor” that is contingent upon businesses being in substantial compliance with one of the supported cybersecurity frameworks. The adoption of the standards is voluntary.
The Act is not intended to create a minimum cybersecurity standard that must be achieved, or impose liability upon businesses that do not obtain or maintain practices in compliance with the Act. The Act encourages businesses to proactively use higher cybersecurity frameworks rather than mandating the use.
Bill No. 220 supports the following cybersecurity frameworks:
Businesses trying to comply with Data Protection Act need to adopt one of the supported cybersecurity frameworks and understand it is not “one-size-fits-all.” The scale and scope of the cybersecurity program is appropriate if it is based on all of the following factors:
Its important businesses can demonstrate, implement and maintain cybersecurity measures. Additionally, businesses should consult with an attorney that specializes in cyber liability.
Cyber Strategic Leader
Sources and additional information can be found at:
Senate Bill No. 220, the “Data Protection Act”
Note: This communication is for informational purposes only. Although every reasonable effort is made to present current and accurate information, Oswald makes no guarantees of any kind and cannot be held liable for any outdated or incorrect information. View our communications policy.