Ohio Data Protection Act Protections Encourage Companies to Take Action

Last month, Ohio signed into law The Data Protection Act, Senate Bill 220 (the Bill), which will serve as an affirmative defense to certain tort claims related to data privacy protection, with its primary intention being to protect companies and other organizations from legal action following a breach in their data security – but only if that organization had previously implemented a specified cybersecurity program.

According to language in the Bill, it provides a defense against any tort in Ohio alleging that “the failure to implement reasonable information security controls resulted in a data breach concerning personal information.”In general, this should include lawsuits that allege negligence and invasion of privacy. Therefore, it will be critical for organizations to formalize or strengthen their data privacy protection strategy so that it complies with regulations set by the Bill.

It’s also important for businesses to consider that while the Bill states that it protects businesses based in any state that access or utilize Ohioans’ personal information through systems or services based either in or outside of Ohio, it does not provide complete, blanket protection – it only applies in the tort circumstances mentioned above. The Bill would not be a legitimate defense in, for example, a breach of contract lawsuit.

The Bill also may not be used as a defense against lawsuits not brought under Ohio law in courts outside of Ohio, even if they are tort claims. This means Ohio companies would not receive any of the Bill’s protections if they face lawsuits in a different state under a different state’s laws.

In order for an organization to be eligible for the protections the Bill provides, the organization must:

  1. Create, maintain, and comply with a written cybersecurity program that “reasonably conforms” to one of the eight approved frameworks 1, and
  2. Satisfy the general requirements outlined in R.C. Section 1354.02(B) and (C), which, among other items, calls for protection against the unauthorized access of information that is likely to cause identity theft or other fraud against anticipated threats or security hazards, taking into consideration elements such as the size and scope of activities of the organization, the nature and sensitivity of the information, and the cost and availability of tools to improve information security.

Businesses and other organizations who have not yet put in place data protection policies and strategies are strongly encouraged to begin the necessary processes. The Data Protection Act becomes effective on November 2 nd of this year, and the sooner it can be used to protect you and your organization when a data breach occurs, the better.


1Frameworks approved in the Bill include: 1. NIST SP 800-171; 2. NIST SP 800-53 and 800-53(a); 3. The Federal Risk and Authorization Management Program (FedRAMP); 4. Center for Internet Security (CIS) Critical Security Controls; 5. The ISO 27000 Family; 6. The HIPAA Security Rule; 7. Graham-Leach-Bliley Act; and, 8. The Federal Information Security Modernization Act (FISMA).