April 20, 2019

April 19, 2019

Subscribe to Latest Legal News and Analysis

April 18, 2019

Subscribe to Latest Legal News and Analysis

A New Year and a New Approach to State Data Breach Legislation


Ohio is taking a unique approach to addressing data breaches by offering businesses meeting certain requirements with a safe harbor against lawsuits following a data breach. 

Specifically, the act provides an affirmative defense against tort actions brought under Ohio law or in Ohio courts alleging failure to implement reasonable information security controls resulting in a data breach to those entities that adopt certain cybersecurity frameworks.  


The new Ohio Data Protection Act became effective in late 2018. The Act provides the safe harbor to businesses that create, maintain, and comply with written cybersecurity programs including administrative, technical, and physical safeguards for protecting personal information and reasonably conform to an industry-recognized cybersecurity framework such as:

  • The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity; 

  • NIST Special Publication 800-171; 

  • NIST Special Publications 800-53 and 800-53a; 

  • The Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework; or 

  • The Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense.  

In addition, an entity’s cybersecurity program will also be found to conform to an industry-recognized cybersecurity framework if the entity is subject to and conforms to the security requirements of the Health Insurance Portability and Accountability Act (HIPAA), Title V of the Gramm-Leach-Bliley Act, the Federal Information Security Modernization Act, or the Health Information Technology for Economic and Clinical Health Act. Covered entities subject to the payment card industry data security standard may also be eligible for safe harbor status.  


Make sure your cybersecurity program is compliant.

© Steptoe & Johnson PLLC. All Rights Reserved.


About this Author

Susan Pauley, Steptoe Johnson Law Firm, Huntington, Cybersecurity Attorney
Of Counsel

Susan Pauley currently practices in the areas of information and privacy law, cybersecurity, and mineral title examinations.  Ms. Pauley is a member of the firm’s Cybersecurity Team.