Ohio’s New Data Protection Act

On November 2, 2018, Ohio became the first state in the country to adopt a litigation “safe harbor” in connection with data breach claims. The new statute, Revised Code §1354, is entitled Businesses Maintaining Recognized Cybersecurity Programs. It does not alter Ohio’s current data breach notification requirements, found at Revised Code §1349.19, and it does not create a minimum cybersecurity standard in the state. It simply provides a limited affirmative defense which businesses may assert in connection with data breach claims.

The harbor provided under the statue is a rather narrow one. In order to gain the protection of safe harbor the business affected by a data breach, called a “Covered Entity” in the statute, must:

(1)  Create, maintain and comply with a written cybersecurity program that reasonably conforms to at least one of 11 industry-recognized security frameworks listed in the statute; and

(2) The cybersecurity program used must protect the security and the confidentiality of the information, protect against any anticipated threats or hazards to the security or integrity of the information, and protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud; and

(3) The scale and scope of the cybersecurity program used must be appropriate, based on considerations such as the size and complexity of the Covered Entity, the nature and scope of its activities, the sensitivity of the information to be protected, and the resources available to the entity.

The listed frameworks are generally grouped into three categories depending on whether the Covered Entity is a private company, an entity regulated by the state or federal government, or a financial institution subject to payment card industry regulations. The listed frameworks include:

  • The framework for improving critical infrastructure cybersecurity developed by the National Institute of Standards and Technology (“NIST”).
  • NIST special publication 800-171
  • NIST special publications 800-53 and 800-53a
  • The federal risk and authorization management program (FedRAMP) framework

If a business is regulated by and complies with, certain other state and/or federal government privacy frameworks, it may also satisfy the terms of the statute. These frameworks include:

  • Federal Information Security Modernization Act of 2014;
  • Health Insurance Portability and Accountability Act of 1996;
  • Health Information Technology for Economic and Clinical Health Act;
  • Title V of the Gramm-Leach-Bliley Act of 1999.

Finally, if a business processes payment cards, it must comply with Payment Card Industry (PCI) standards—specifically, the PCI Data Security Standard—to qualify for the affirmative defense.

When a revision is released to any of the listed frameworks, the Covered Entity will have one year to update its program to conform to the new edition of the framework in order to maintain its eligibility for the safe harbor.

In asserting the affirmative defense, the Covered Entity will bear the burden of proof to demonstrate it has met all the requirements in the statute. This may be difficult as a practical matter since several of the frameworks listed currently have no third-party certifications.

There are also other limitations to consider. For a business to invoke the affirmative defense in a lawsuit, the breach claim must: (1) arise under tort law, (2) be brought under Ohio law or in Ohio courts, and (3) allege that “failure to implement reasonable information security controls resulted in a data breach concerning personal information or restricted information.” Many breach claims, however, are brought under contract theories to which the safe harbor does not apply. And since significant breaches generally affect individuals in more than one jurisdiction, plaintiff’s attorneys seeking to avoid the safe harbor defense can easily avoid it by filing in another forum.

This entry was posted in News.
  • About the Author


    Joseph Robinette

    Joseph Robinette’s practice focuses on corporate transactions, commercial agreements, antitrust counseling, intellectual property (IP) law and licensing, and unfair competition law. Before joining Wood + Lamping, Joseph served for many years as General Counsel to the United States Playing Card Company, the manufacturer of the well-known Bicycle® brand. He was also a member of the team of attorneys who wrote the winning motion for summary judgment in the significant antitrust case, Medical Center at Elizabeth Place v. Premier Health Partners, case 3:12–cv.26, Southern District of Ohio (2014).

  • Contact Us

    Wood + Lamping LLP

    Cincinnati, OH

    600 Vine Street Suite 2500
    Cincinnati, OH 45202
    513-852-6000 main
    513-852-6087 fax

    Southeast Indiana

    70 East High Street
    Lawrenceburg, IN 47025
    812-537-2375 main