Ohio Governor John Kasich signed the Ohio Data Protection Act, which will provide a legal safe harbor against data breach claims to businesses that implement specified cybersecurity controls. Ohio Senate Bill No. 220 (S.B. 220), also known as the Ohio Data Protection Act (the Act) goes into effect on November 2, 2018.
The Act is intended to provide incentives for businesses to invest in a robust cybersecurity framework. The Act will be codified at O.R.C. §§ 1354.01-1354.05. Ohio is the first state in the country to implement a law that provides a data breach safe harbor for businesses.The Act provides companies with an affirmative defense from tort claims arising out of a data breach concerning personal information if a written cybersecurity program is in place that “reasonably conforms to an industry recognized cybersecurity framework.” The Act recognizes the following as industry recognized cybersecurity frameworks:
- National Institute of Standards and Technology (NIST) “framework for improving critical infrastructure cybersecurity” along with NIST special publications 800-171; 800-53; and 800-53a;
- The Federal Risk and Authorization Management Program (FedRAMP) security assessment framework;
- The Center for Internet Security Critical Security controls for effective cyber defense;
- For Covered Entities, as defined by HIPAA rules, the security requirements of HIPAA set forth in the Code of Federal Regulations 45 CFR Part 164 subpart C and HITECH as set forth in 45 CFR part 162;
- Title V of the Gramm-Leach-Bliley Act of 1999, as applicable to financial institutions; and
- The payment card industry (PCI) data security standard, as applicable to companies that accept payment cards. [continued]