On August 3, 2018, Ohio Governor John Kasich signed the Ohio Data Protection Act, which will provide a legal safe harbor against data breach claims to businesses that implement specified cybersecurity controls. Ohio Senate Bill No. 220 (S.B. 220), also known as the Ohio Data Protection Act (the Act) goes into effect on November 2, 2018. The Act is intended to provide incentives for businesses to invest in a robust cybersecurity framework. The Act will be codified at O.R.C. §§ 1354.01-1354.05. Ohio is the first state in the country to implement a law that provides a data breach safe harbor for businesses.
The Act provides companies with an affirmative defense from tort claims arising out of a data breach concerning personal information if a written cybersecurity program is in place that “reasonably conforms to an industry recognized cybersecurity framework.” The Act recognizes the following as industry recognized cybersecurity frameworks:
- National Institute of Standards and Technology (NIST) “framework for improving critical infrastructure cybersecurity” along with NIST special publications 800-171; 800-53; and 800-53a;
- The Federal Risk and Authorization Management Program (FedRAMP) security assessment framework;
- The Center for Internet Security Critical Security controls for effective cyber defense;
- For Covered Entities, as defined by HIPAA rules, the security requirements of HIPAA set forth in the Code of Federal Regulations 45 CFR Part 164 subpart C and HITECH as set forth in 45 CFR part 162;
- Title V of the Gramm-Leach-Bliley Act of 1999, as applicable to financial institutions; and
- The payment card industry (PCI) data security standard, as applicable to companies that accept payment cards.
Additionally, the written cybersecurity program must: (1) protect the security and confidentiality of information; (2) protect against any anticipated threats or hazards to the security or integrity of information; and (3) protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or fraud. Moreover, in order for a company to be entitled to the affirmative defense under the Act, the size and scope of the cybersecurity program must be appropriate for the organization based upon five factors: (1) the size and complexity of the organization; (2) the nature and scope of the activities of the covered entity; (3) the sensitivity of the information to be protected; (4) the cost and availability of tools to improve information security and reduce vulnerabilities; and (5) the resources availability to the organization.
It is important to note that the Act is intended to be an incentive to encourage Ohio businesses to implement a robust cybersecurity program voluntarily. The Act does not establish a minimum cybersecurity standard, nor does it impose liability upon businesses that do not comply with the Act. Additionally, the Act has not changed the duty for businesses to report data breaches involving Ohio residents.
As to how the requirements of the Act interact with HIPAA, Covered Entities will still be required to comply with the HIPAA rules. HIPAA does not provide a private cause of action to individuals who are affected by a health care privacy breach. However, individuals affected by a HIPAA breach or violation may pursue a common law tort claim under state law when their information is disclosed in a manner that was not authorized. With the passage of the Act, Ohio Covered Entities now have an additional incentive to have HIPAA-compliant policies and secure protected health information, as doing so should provide an affirmative defense to any potential tort causes of action arising out of a data breach under Ohio law.
The full text of the Act can be accessed HERE.