Return to the list of client alerts
Unlike most states, Ohio is not going to require companies to have good security and privacy practices. Instead, it is going to offer companies a defense, in case they get sued as a result of a breach, for why the breach is not their fault.
With no penalties and no enforcement, they are leaving it up to companies to decide if the protections that are offered are worth the cost of creating the program.
The law ONLY applies if the company is sued in Ohio state court, which seems relatively unlikely, and only to tort claims and only if the lawsuit claims that the breach was caused by failure to implement reasonable information security controls.
These limitations make it relatively unlikely that very many businesses will spend the money needed to get this very limited protection. Still, a few may do it.
On the other hand, if there was a national law that provided this protection nationwide, in both state courts and federal courts, that would be much more enticing.
Assuming a company chooses to implement such a safe harbor, what do they need to do?
First, they have to create, maintain and comply with a written cyber security program that reasonably conforms to one of the following:
These frameworks all have their pluses and minuses, but, in balance, all will help companies protect people’s information.
The program must be designed to protect the security and confidentiality of people’s information, protect against anticipated threats and protect against unauthorized access.
Finally, the law says that businesses can tailor these programs based on:
What this likely means is that even if a business creates some form of program under this law in order to protect people’s information, they are likely going to have to defend, in court, that whatever they did meets the requirements of the law.
It will be interesting to see if companies think the benefit of this is worth the cost.
For larger companies, this is a free ride. Companies that need to comply with other, more restrictive state privacy and security laws such as (among many others) Massachusetts, Colorado, New York and California, will pretty much automatically comply. As a result, *IF* they get sued in Ohio they will be protected.
The law goes into effect November 2, 2018.
Information for this alert came from the IAPP (membership may be required to view this link): https://iapp.org/news/a/analysis-ohios-data-protection-act/