October 18, 2019

October 17, 2019

Subscribe to Latest Legal News and Analysis

October 16, 2019

Subscribe to Latest Legal News and Analysis

October 15, 2019

Subscribe to Latest Legal News and Analysis

FTC Defense Lawyer Discusses Ohio's New Data Protection Act

As previously blogged about here, digital marketers must take care to stay abreast of domestic date privacy legislation.  In fact, at a time with the tech industry is pushing for federal privacy legislation, California, Colorado and Vermont have respectively enacted privacy, cybersecurity and data broker discloure laws.

Add Ohio to the mix.

Effective November 1, 2018, the Ohio Data Protection Act will affords companies that access, maintain, communicate or process personal information (as defined in Ohio Revised Code 1349.19) or restricted information (unencrypted information about an individual that can be used to disintguish or trace the individual’s identity) that implement industry recognized security measures (e.g., written cybersecurity protocols and privacy controls) a defense in the event of a data breach.

Such security measures must confrom to specifically designated security standards and industry-specific privacy laws (e.g., HIPPA, GLBA, etc.) appropriate to a business’ size and activities, and be reasonably designed to safeguard personal information and minimize vulerabilities.

The ODPA applies to any “tort that alleges or relates to the failure to implement reasonable information security controls, resulting in a data breach,”  It does not apply to contract actions.  The law is also distinguishable from the new California and Colorado legislation in that the Ohio law is voluntary in nature.

The ODPA is, to some extent, similar to the Federal Trade Commission’s “Start With Security” guidance om that what is reasonable may  depend on the size and nature of business operations.  However, basic policy considerations consistently apply.  Do not collect sensitive information that is not needed.  Protect the information that is maintained.  Do not use personal information when it is not necessary.  Retain information only as long as a legitimate business need exists.  And, train staff to carry out policies and ensure that they are following through.

© 2019 Hinch Newman LLP


About this Author

Richard Newman, FTC Defense Lawyer, Internet Marketing, Hinch Newman Law Firm

Richard B. Newman is one of the premier FTC advertising compliance and regulatory defense attorneys in the United States.  He regularly provides advertising counsel and represents clients in high-profile investigations (CIDs) and enforcement proceedings initiated by the Federal Trade Commission, state attorneys general, departments of consumer affairs, and other federal and state agencies with jurisdiction over advertising and marketing practices.  Richard also handles  transactional matters relating to the dissemination of national advertising campaigns, including the...