Ohio Tries Different Strategy for Data Privacy Law

Unlike most states, Ohio is not going to require companies to have good security and privacy practices. Instead, it is going to offer companies a defense, in case they get sued as a result of a breach, for why the breach is not their fault.

With no penalties and no enforcement, they are leaving it up to companies to decide if the protections that are offered are worth the cost of creating the program.

The law ONLY applies if the company is sued in Ohio state court, which seems relatively unlikely, and only to tort claims and only if the lawsuit claims that the breach was caused by failure to implement reasonable information security controls.

These limitations make it relatively unlikely that very many businesses will spend the money needed to get this very limited protection. Still, a few may do it.

On the other hand, if there was a national law that provided this protection nationwide, in both state courts and federal courts, that would be much more enticing.

Assuming a company chooses to implement such a safe harbor, what do they need to do?

First, they have to create, maintain and comply with a written cyber security program that reasonably conforms to one of the following:

The NIST cyber security framework
NIST Special Pub 800-53 and its cousins 800-53a or 800-171
Fedramp
Center for Internet Security Critical Security Controls
ISO 27000 family of security controls
HIPAA
HITECH
Title 5 of Gramm-Leach-Bliley
FISMA
PCI, but importantly, only when combined with one of the other frameworks

These frameworks all have their pluses and minuses, but, in balance, all will help companies protect people’s information.

The program must be designed to protect the security and confidentiality of people’s information, protect against anticipated threats and protect against unauthorized access.

Finally, the law says that businesses can tailor these programs based on:

The size and complexity of the business
The activities of the business
The sensitivity of the information
The cost and availability of tools to improve cybersecurity
The resources available to the business

What this likely means is that even if a business creates some form of program under this law in order to protect people’s information, they are likely going to have to defend, in court, that whatever they did meets the requirements of the law.

It will be interesting to see if companies think the benefit of this is worth the cost.

For larger companies, this is a free ride. Companies that need to comply with other, more restrictive state privacy and security laws such as (among many others) Massachusetts, Colorado, New York and California, will pretty much automatically comply. As a result, *IF* they get sued in Ohio they will be protected.

The law goes into effect November 2, 2018.

Information for this alert came from the IAPP (membership may be required to view this link): https://iapp.org/news/a/analysis-ohios-data-protection-act/