On November, 2, 2018, Ohio’s recently passed Data Protection Act (Act) officially became law. The Act provides a possible affirmative defense to businesses in lawsuits where the plaintiff alleges a tort based on a business’ failure to implement a cybersecurity framework.

Importantly, the new law does not create a minimum cybersecurity standard in Ohio or new cybersecurity regulations that businesses must follow. Rather, the law operates by incentivizing businesses to develop and maintain a cybersecurity program that “reasonably conforms” to an already existing, industry recognized cybersecurity framework. If the company can prove that it had a compliant cybersecurity program in place at the time of a breach, the company can use the program’s existence as an affirmative defense to certain tort claims.

Under the Act, compliant frameworks include:
• National Institute of Standards and Technology (NIST) Cybersecurity Framework;
• NIST Special Publications 800-53, 800-53A, or 800-171;
• Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework;
• Center for Internet Security Critical Security Controls (CIS CSC) for Effective Cyber Defense;
• International Organization for Standardization (ISO) / International Electrotechnical Commission’s (IEC) 27000 Family – Information Security Management Systems;
• Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule;
• Health Information Technology for Economic and Clinical Health Act (HITECH);
• Title 5 of the Gramm-Leach-Bliley Act of 1999 (GLBA);
• Federal Information Security Modernization Act of 2014 (FISMA); and
• Payment Card Industry Standard (PCI) combined with another listed framework.

The law allows businesses to determine the appropriate framework to follow based on the individualized needs of the business. The law requires that the “scale and scope” of the company’s cybersecurity program be appropriate in light of:

  1. The size and complexity of the covered entity;
  2. The nature and scope of the activities of the covered entity;
  3. The sensitivity of the information protected;
  4. The cost and availability of tools to improve information security and reduce vulnerabilities; and
  5. The resources available to the covered entity.

However, the law’s protections are limited. The Act only provides an affirmative defense to tort claims based on Ohio law or brought in an Ohio court. Businesses would not have an affirmative defense to contract actions.