Ohio’s Data Protection Act: What You Need to Know

        Ohio recently enacted the Ohio Data Protection Act[1] which was part of Attorney General DeWine’s CyberOhio Initiative. The Act will go into effect on November 2, 2018. Every Ohio business should be familiar with the Ohio DPA and determine whether they can or want to qualify for the benefits. The Ohio DPA also provides another reminder of the importance of examining and evaluating your data protection and written information governance policies.

          The Ohio DPA does not change Ohio’s data breach statute[2] but it provides a potential statutory affirmative defense for a company which conducts business in Ohio and is sued in tort for a data breach. Generally, FTC enforcement actions and recent data breach class actions challenge the reasonableness of the company’s data protection plans.[3] The Ohio DPA enumerates specific cybersecurity frameworks which, by statute, are deemed reasonable by statute.[4] If a company “creates, maintains, and complies with a written cybersecurity program” that contains “administrative, technical and physical safeguards for the protection of personal information” and “reasonably conforms” to one of these statutorily approved frameworks, the company is entitled to a statutory affirmative defense which effectively presumes the reasonableness of the company’s data protection program.[5] The Ohio DPA also gives Ohio companies some flexibility to scale the scope of the statutorily-approved frameworks depending on the size of the company, the nature of the activities, costs of compliance, and other enumerated factors.[6]

          The Ohio DPA is somewhat unique in that it focuses on codifying acceptable conduct but it is not a mandate. Unlike GDPR and other state statutes, there is no draconian penalty or fine for non-compliance – companies can choose whether to take advantage of the statute or not.

          While helpful to Ohio businesses, the Ohio DPA has some limitations. First, the statutory affirmative defense only applies as an affirmative defense to tort claims in data breach lawsuits alleging negligence or invasion of privacy. The company’s conduct and work in establishing the cybersecurity framework is relevant and certainly helpful in defending statutory and contract claims in court or in an FTC enforcement actions, but the statutory defense technically does not apply. Moreover, the defense is available to any business authorized to do business in Ohio (which is not limited to Ohio businesses)[7] against tort claims “brought under the laws of this state or in the courts of this state,”[8] which will create some interesting discussions in federal and state courts when initially invoked.

          Second, the defense is available to a company who “reasonably conforms” to one of the statutorily approved frameworks, which will still generally be a factual issue. Similar statutes in other jurisdictions provide some minimum requirements for the cybersecurity program, but Ohio’s DPA does not. The Ohio DPA also allows for scalability of the cybersecurity program, which also provides added factual questions on judgment and reasonableness. Ohio’s DPA provides flexibility, which can be double-edged sword.

          Finally, as an affirmative defense, the company bears the burden of initially establishing compliance with the Ohio DPA, and there are a few potential pitfalls with compliance. The company must prove that the cybersecurity program is in writing[9] and the company must monitor changes to the approved cybersecurity frameworks and adopt those changes within one year from the effective date of the changes.[10] While these steps are usually basic parts of any data protection plan, the Ohio DPA mandates these requirements and vigilance going forward.

          The Ohio DPA may not provide significant new protections, but it is a step in the right direction and it is another reason why companies have to focus on their data protection and written information governance policies. Data protection is more critical than ever and the statutory landscape continues to evolve as GDPR goes into effect;[11] Congress begins to focus on potential national standards;[12] states like California, Massachusetts and New York adopt new data protection guidelines;[13] and industry tries to stay out in front by announcing its own guidelines and principles for voluntary compliance.[14] At the same time, data breach litigation and FTC enforcement actions are on the rise.[15] All Ohio companies that use, collect or store personal information, and data in general, should have written information governance policies and data protection/data breach plans in place and should monitor the changing developments in this area. The Ohio DPA may provide your company some added benefits that you should discuss and consider as well.

[1] O.R.C. § 1354.01-05 (2018).

[2] O.R.C. § 1349.19 (2018).

[3] See e.g., Compl. at 6, Uber Tech.’s, Inc., No. C-1523054 (U.S. Fed. Trade Comm’n Apr. 15, 2017), https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_complaint.pdf (FTC enforcement action against Uber alleging Uber “did not provide reasonable security for consumers’ personal information stored in its databases,” which constituted “unfair or deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)”); LabMD, Inc. v. FTC, 891 F.3d 1286, 1290 (11th Cir. 2018) (FTC enforcement action against LabMD alleging “LabMD had committed an ‘unfair act or practice’ prohibited by Section 5(a) by ‘engag[ing] in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks.’”); see also In re Anthem, Inc. Data Breach Litig., 2018 U.S. Dist. LEXIS 139271 (N.D. Cal. Aug. 15, 2018) (Plaintiff’s class action suit against Anthem depended “first and foremost, on whether Anthem used reasonable data security to protect Plaintiffs' personal information”); In re Home Depot, Inc., 2016 U.S. Dist. LEXIS 65111, at *35 (N.D. Ga. May 17, 2016) (class action against Home Depot alleging Home Depot violated California’s Unfair Competition Law by failing to “maintain adequate and reasonable security measures”).

[4] O.R.C. § 1354.03 (2018) (including NIST 800-171, NIST 800-53 and ISO 27001, among others).

[5] O.R.C. § 1354.02 (2018).

[6] O.R.C. § 1354.02(C) (2018).

[7] O.R.C. § 1354.01(A) (2018).

[8] O.R.C. § 1345.02(D)(1) (2018).

[9] O.R.C. § 1354.02(A)(1-2) (2018).

[10] O.R.C. § 1354.03 (2018).

[11] General Data Protection Regulation (2018), available at https://gdpr-info.eu/.

[12] National Telecommunications and Information Administration, Requests for Comments on Developing the Administration’s Approach to Consumer Privacy (September 25, 2018), https://www.ntia.doc.gov/federal-register-notice/2018/request-comments-developing-administration-s-approach-consumer-privacy.

[13] AB-375 (Ca. June 29, 2018), California Consumer Privacy Act text, available at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375; S.2455 (Mass., April 19, 2018), An Act Relative To Consumer Protection From Security Breaches text, available at https://malegislature.gov/Bills/190/S2455; 6933-B (New York Nov. 1, 2017), Stop Hacks and Improve Electronic Data Security Act text, available at https://legislation.nysenate.gov/pdf/bills/2017/S6933B

[14] Internet Association, Internet Association Proposes Privacy Principles for a Modern National Regulatory Framework (September 12, 2018), https://internetassociation.org/internet-association-proposes-privacy-principles-for-a-modern-national-regulatory-framework/; Google, Framework for Responsible Data Protection Regulation (September 2018), https://services.google.com/fh/files/blogs/google_framework_responsible_data_protection_regulation.pdf.

[15] See Federal Trade Commission, Cases Tagged With Data Security, available at https://www.ftc.gov/enforcement/cases-proceedings/terms/249 (last accessed Oct. 19, 2018).

KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.


© 2024 Keating Muething & Klekamp PLL. All Rights Reserved


Jump to Page