The Ohio state government enacted Senate Bill 220, commonly known as the Ohio Data Protection Act, in November 2018.
The act was the first incentive-based law introduced in the United States to protect organizations that achieve a “higher level of cybersecurity.” In particular, the law offers additional protections (legal safe harbor) to organizations that maintain a robust cybersecurity program that aligns with one of eight industry-trusted security frameworks.
What Compliance Standards Does Senate Bill 220 Accept?
The Ohio Data Protection Act provides legal safe harbor to businesses that substantially comply with one of eight industry-recognized cybersecurity frameworks.
Covered entities demonstrating compliance are entitled to an affirmative defense against tort claims (lawsuits to claim compensation for damages) related to a data breach or alleged failure to adopt best practices into their security program.
An affirmative defense is a specialized legal defense that allows the defendant of a case to shift the burden of proof. Prosecutors are not required to disprove the validity of the affirmative defense; instead, the defendant must prove the defense applies to the case. When the defendant raises an affirmative defense successfully, they can negate criminal or civil liability.
To be eligible for legal safe harbor, organizations must create, maintain, and conform to a written cybersecurity program that meets the data security standards of one of the following industry frameworks:
- Center for Internet Security’s Critical Security Controls (CIS CSC),
- Federal Risk and Authorization Management Program (FedRAMP),
- International Organization for Standardization/International Electrotechnical Commission’s 27000 Family - Information Security Management Systems,
- National Institute of Standards and Technology (NIST) Cybersecurity Framework,
- Federal Information Security Modernization Act of 2014 (FISMA),
- Health Insurance Portability and Accountability Act (HIPAA),
- Health Information Technology for Economic and Clinical Health Act (HITECH Act), or
- Title V of the Gramm-Leach-Bliley Act (GLBA)
The Ohio Data Protection Act also protects organizations that meet Payment Card Industry Data Security Standards (PCI-DSS) and other listed framework standards.
Note: Senate Bill 220 explicitly states that the law does not intend to create a minimum cybersecurity standard. Organizations should not read the law as an imposition of liability upon their businesses. Multiple sections of the bill clarify that organizations may need to fortify the accepted security frameworks with additional protections to protect sensitive data as new security risks arise. All companies should develop a cybersecurity program appropriate to the size, scale, and nature of their operation and the sensitivity of the information they collect, store, or otherwise process.
The Ohio Data Protection Act applies broadly to any Ohio business, organization, or collection of entities that process personal information or restricted information.
Ohio Senate Bill 220 defines personal information as any information that includes an individual’s name (first name or first initial and last name) in combination with any of the following data elements:
- Social Security number
- Driver’s license number
- State identification card number
- Financial account number or credit or debit card number (in combination with the access pin or security code that would allow access to the individual’s banking account)
The law’s definition excludes publicly available information that is legally obtained from state or federal government records or circulated media sources, such as:
- News, editorial, or advertising statements published in a newspaper or magazine or broadcasted over the radio or television
- Information gathered by a news reporter or correspondent
- Association, charitable, and non-profit publications distributed to members
- Any media that meets similar standards to the types listed above
Ohio law defines restricted information as any unencrypted information that an individual or organization can reasonably use to distinguish an individual’s identity.
What are the Limitations of the Safe Harbor Policy?
The legal safe harbor protections granted by Senate Bill 220 do not provide covered organizations with blanket immunity. The protections afforded by the bill’s safe harbor provisions are limited to tort claims related to a data breach or failure to maintain industry best practices.
Senate Bill 220 does not protect organizations from contract-based disputes that result from a contract with a third-party processor or its customers. This limitation includes contracts between data controllers and processors.
In the event of a lawsuit, a covered organization would need to prove its cybersecurity program met the standards of the law before it achieved safe harbor privileges.
Incentive Benefits vs. Enforcement
The Ohio Data Protection Act differs from most other privacy laws simply because it offers incentive-based benefits to improve the security posture of local businesses rather than enforcing regulatory punishments.
Most other privacy laws, such as the California Consumer Privacy Act (CCPA) or Virginia Consumer Data Protection Act (VCDPA), are enforced by a private right of action or by the state attorney general.
On July 7, 2021, the Ohio government introduced House Bill 376, the Ohio Personal Privacy Act. This bill has yet to be passed by the Senate or House of Representatives but would enforce regulations similar to those presented by California, Virginia, and other state privacy laws.
If Ohio passes House Bill 376, it will be one of the only states in the nation to offer incentive-based benefits and impose regulations on the security measures taken by local businesses. This combination of legislation could pose interesting implications for Ohio businesses.
Data Privacy Laws Around the United States
After the European Union passed its General Data Protection Regulation (GDPR) in 2018, various U.S. states followed suit.
The following U.S. states have passed comprehensive privacy protection legislation:
- California (CCPA)
- Colorado (CPA)
- Connecticut (CTDPA)
- Indiana (INCDPA)
- Iowa (ICDPA)
- Montana (MTCDPA)
- Tennessee (TIPA)
- Texas (TDPSA)
- Utah (UCPA)
- Virginia (CDPA)
In addition to these comprehensive laws passed by U.S. states, several other states have passed critical security regulations and privacy laws of their own:
- California IoT Security Law (SB-237)
- Texas Risk and Authorization Management Program (TX-RAMP)
- Washington’s My Health My Data (MHMD) Act
- Nevada Privacy Law (603A)
How Can UpGuard Help?
UpGuard BreachSight empowers organizations to manage their security posture with confidence. Using the product, organizations can monitor their attack surface 24/7, prioritize vulnerabilities, and protect their overall reputation.
UpGuard Vendor Risk allows organizations to streamline their vendor risk management program through the use of automated assessment workflows, customizable security questionnaires, and real-time notifications in one centralized dashboard.