June 7, 2020

June 05, 2020

Subscribe to Latest Legal News and Analysis

June 04, 2020

Subscribe to Latest Legal News and Analysis

A New Year and a New Approach to State Data Breach Legislation


Ohio is taking a unique approach to addressing data breaches by offering businesses meeting certain requirements with a safe harbor against lawsuits following a data breach. 

Specifically, the act provides an affirmative defense against tort actions brought under Ohio law or in Ohio courts alleging failure to implement reasonable information security controls resulting in a data breach to those entities that adopt certain cybersecurity frameworks.  


The new Ohio Data Protection Act became effective in late 2018. The Act provides the safe harbor to businesses that create, maintain, and comply with written cybersecurity programs including administrative, technical, and physical safeguards for protecting personal information and reasonably conform to an industry-recognized cybersecurity framework such as:

  • The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity; 

  • NIST Special Publication 800-171; 

  • NIST Special Publications 800-53 and 800-53a; 

  • The Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework; or 

  • The Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense.  

In addition, an entity’s cybersecurity program will also be found to conform to an industry-recognized cybersecurity framework if the entity is subject to and conforms to the security requirements of the Health Insurance Portability and Accountability Act (HIPAA), Title V of the Gramm-Leach-Bliley Act, the Federal Information Security Modernization Act, or the Health Information Technology for Economic and Clinical Health Act. Covered entities subject to the payment card industry data security standard may also be eligible for safe harbor status.  


Make sure your cybersecurity program is compliant.

© Steptoe & Johnson PLLC. All Rights Reserved.


About this Author

Steptoe & Johnson’s Environmental and Regulatory attorneys represent clients before federal, state, and local courts and administrative boards in civil, criminal, and administrative matters.

Our environmental lawyers possess extensive experience as seasoned litigators who can handle commercial and energy-related litigation in high-profile cases.

Environmental and Regulatory Practice Group attorneys possess the knowledge and experience to understand the highly technical nature of environmental issues.

202 429 6213