Data Protection Act and Safe Harbor for Ohio Businesses

As a business, data breach and cybersecurity issues are an ongoing and daily concern. Even if your company has implemented comprehensive policies and security protections, data breaches can still occur. The good news is, Ohio passed a new law to protect businesses who have taken appropriate steps to safeguard data.

On August 3, 2018, Governor Kasich signed the Data Protection Act (R.C. 1354.01, et seq.). The Data Protection Act provides an affirmative defense to businesses facing a civil lawsuit over data breach claims. The defense applies, if a business shows it creates and maintains a written cybersecurity program in compliance with reasonable security measures at the time of the breach. Whether the security measures are reasonable will depend on the company’s size, nature and scope of activities, sensitivity of the information, costs, and resources available to the company. One industry standard set forth in the statute is compliance with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. If a business is already subject to various Federal regulatory standards, such as HIPPA, compliance with those Acts will also provide protection.

The law becomes effective November 2, 2018. This new law is not a requirement of data security standards that Ohio companies must satisfy. Instead, the Data Protection Act offers complying companies a defense to a civil lawsuit for damages from a data breach. With the threat of class action lawsuits related to data breaches, the new law provides a strong defense to protect proactive businesses from costly and expensive lawsuits.

Now is the time to evaluate your data security procedures, manuals, and technical safeguards. The cybersecurity attorneys at Isaac Wiles can assist in determining whether your company’s security measures are in compliance with the new safe harbor provisions.