Practical GuidanceFree Trial
Register to request a downloadable copy
Learn More AboutPractical Guidance
By: Chad Perlov - LEXIS PRACTICE ADVISOR
THIS ARTICLE DISCUSSES THE OHIO DATA PROTECTION Act’s (ODPA) new legal safe harbor against data breach claims and how to comply with the requirements set out in the statute. Effective November 2, 2018, businesses and nonprofit entities that create and maintain a cybersecurity program in accordance with the ODPA’s requirements can assert their compliance as an affirmative defense to any tort action brought in Ohio alleging that the failure to implement reasonable information security controls caused a data breach.1
Ohio is the first state to incentivize entities to adopt strong cybersecurity practices, rather than punish them for failing to adhere to a specific regulatory framework.2 Entities are eligible for the safe harbor if they create, maintain, and comply with a cybersecurity program that, among other things, reasonably conforms to one of the industry-recognized cybersecurity frameworks listed in the OPDA.
The ODPA applies to any business that accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside of Ohio (covered entity).3
To read the full practice note in Lexis Practice Advisor, follow this link.
Chad Perlov is a Content Manager for Lexis Practice Advisor® in the Data Security & Privacy and Intellectual Property & Technology practice areas, specializing in technology transactions, data privacy, e-commerce, and IP/IT in corporate transactions. In his legal career, Chad served as general counsel for a multinational software development and IT solutions company. He has also practiced at large law firms in New York and Sydney, as well as in-house at a well-known manufacturer of household cleaning products. Chad earned his JD from the University of Colorado School of Law, where he was a member of the Colorado Law Review and a research assistant. He is admitted to practice in New York and Colorado.
For a detailed discussion on preparing data breach avoidance and response plans, see
> DATA BREACH PLANNING AND MANAGEMENT
> Data Security & Privacy > Data Breaches > Planning > Practice Notes
For guidance on preparing plans for avoidance of a data breach and how to respond in the event of a breach, see
> DATA BREACH AVOIDANCE AND RESPONSE PLAN CHECKLIST
> Data Security & Privacy > Data Breaches > Planning > Checklists
For assistance in creating a cybersecurity resilience implementation plan, see
> CYBERSECURITY RESILIENCE IMPLEMENTATION PLAN
> Data Security & Privacy > Cybersecurity Risk Management > Forms
For an example of an internal information security plan, see
> WRITTEN INFORMATION SECURITY PLAN
1. Ohio Rev. Code Ann. § 1354.02. 2. Press Release, Ohio Attorney General, Data Protection Act Will Incentivize Cybersecurity to Protect Customer Data (Nov. 3, 2017), available at https://www.ohioattorneygeneral.gov/Media/News-Releases/November-2017/Data-Protection-Act-Will-Incentivize-Cybersecurity. 3.Ohio Rev. Code Ann. § 1354.01(B).