Ohio businesses that proactively implement a cybersecurity protocol around specific industry standards will now have defensive legal protection, thanks to a new law enacted by the Ohio Legislature.

Effective November 2, 2018, Ohio’s Data Protection Act (DPA) has been supplemented with an incentive intended to offer a safe harbor against data breach lawsuits to companies that implement, maintain and comply with an industry-recognized cybersecurity program. Gov. John Kasich originally signed the Ohio Data Security Protection Act on Aug. 3, 2018.

Ohio’s safe harbor law, which is the first of its kind in the U.S., was enacted in response to the sharp increase in costly, damaging data breaches. To meet the safe harbor standards, a business that accesses, maintains, communicates or processes personal or restricted information must have cybersecurity measures designed to:

  • protect the security and confidentiality of personal information;
  • protect against any anticipated threats or hazards to the security or integrity of personal information; and
  • protect against unauthorized access to the acquisition of personal information likely to result in a material risk of identity theft or other fraud.

Intended as an incentive for businesses to reduce the far-reaching effects of data breaches in exchange for defense against tort actions, the enhanced DPA calls for businesses to improve their cybersecurity measures by complying with established security standards. Specifically, businesses must comply with one of eight industry-recognized frameworks, depending on the nature of a business’ activities and sensitivity of information.

For organizations that accept payment cards, their cybersecurity programs must also comply with the Payment Card Industry’s Data Security Standards (PCI-DSS) to qualify for the affirmative defense. Similarly, organizations subject to certain state or federally mandated security requirements may also qualify, such as those complying with the security requirements in the Health Insurance Portability and Accountability Act (HIPAA), Title V of the Gramm-Leach-Bliley Act (GLBA), the Federal Information Security Modernization Act (FISMA) or the Health Information Technology for Economic and Clinical Health Act (HITECH).

Skoda Minotti can help clients determine the most effective strategy and tactics to benefit from Ohio’s new safe harbor law. We are a full-service IT compliance provider offering SOC Audits, PCI Compliance Certification and HITRUST certification. Our 2019 roadmap includes offering ISO 27001 certification services.

Do you have questions about the safe harbor law or other risk advisory matters? Contact Joe Compton at 440-605-7252 or email Joe.