Ohio Law Provides Legal Safe Harbor for Compliant Cybersecurity Programs

Posted on 02-21-2019


THIS ARTICLE DISCUSSES THE OHIO DATA PROTECTION Act’s (ODPA) new legal safe harbor against data breach claims and how to comply with the requirements set out in the statute. Effective November 2, 2018, businesses and nonprofit entities that create and maintain a cybersecurity program in accordance with the ODPA’s requirements can assert their compliance as an affirmative defense to any tort action brought in Ohio alleging that the failure to implement reasonable information security controls caused a data breach.1

Ohio is the first state to incentivize entities to adopt strong cybersecurity practices, rather than punish them for failing to adhere to a specific regulatory framework.2 Entities are eligible for the safe harbor if they create, maintain, and comply with a cybersecurity program that, among other things, reasonably conforms to one of the industry-recognized cybersecurity frameworks listed in the OPDA.

Entities Eligible for the Safe Harbor

The ODPA applies to any business that accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside of Ohio (covered entity).3

The ODPA defines business as any for profit or nonprofit:

  • Limited liability company
  • Limited liability partnership
  • Corporation
  • Sole proprietorship
  • Association or other group
  • Financial institution organized, chartered, or holding a license authorizing operation under the laws of Ohio, any other state, the United States, or any other country
  • Parent or subsidiary of any of the foregoing4

Types of Data Breaches Subject to Liability

The ODPA defines data breach as:

  • Any unauthorized access to and acquisition of computerized data
  • That compromises the security or confidentiality of personal information or restricted information
  • Owned by or licensed to a covered entity
  • That causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to a person or property5

The ODPA does not consider either of the following situations to be a data breach:

  • Employment. Good faith acquisition of personal information or restricted information by the covered entity’s employee or agent for the purposes of the covered entity’s, provided that the personal information or restricted information is not used for an unlawful purpose or subject to further unauthorized disclosure.6
  • Legal obligation. Acquisition of personal information or restricted information pursuant to a search warrant, subpoena, or other court order, or pursuant to a subpoena, order, or duty of a regulatory state agency.7

For the purposes of this statute, the ODPA defines personal information as an individual’s name, consisting of the individual’s first name or first initial and last name, in combination with and linked to any one or more of the following unencrypted, unredacted, or unaltered data elements:

  • Social Security number
  • Driver’s license number or state identification card number
  • Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual’s financial account8

Personal information does not include publicly available information that is lawfully made available to the general public from:

  • Federal, state, or local government records
  • Any of the following media that are widely distributed:
    • Any news, editorial, or advertising statement published in any bona fide newspaper, journal, or magazine, or broadcast over radio or television
    • Any gathering or furnishing of information or news by any bona fide reporter, correspondent, or news bureau to news media described above
    • Any publication designed for and distributed to members of any bona fide association or charitable or fraternal nonprofit corporation
    • Any type of media similar in nature to any item, entity, or activity identified in the foregoing9

Restricted information means any information about an individual, other than personal information, that, alone or in combination with other information, (including personal information):

  • Can be used to distinguish or trace the individual’s identity or that is linked or linkable to an individual
  • Is not encrypted, redacted, or altered by any method or technology in such a manner that the information is unreadable
  • The breach of which is likely to result in a material risk of identity theft or other fraud to person or property10

Establishing a Cybersecurity Program

Covered entities seeking the safe harbor under the ODPA must create, maintain, and comply with a written cybersecurity program that:

  • Contains administrative, technical, and physical safeguards for the protection of personal information or restricted information (or both)
  • Reasonably conforms to one of the industry-recognized cybersecurity frameworks described in the statute11

A covered entity must design its cybersecurity program to achieve the following objectives:

  • Protect the security and confidentiality of the information
  • Protect against any anticipated threats or hazards to the security or integrity of the information
  • Protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates12

In addition, the ODPA requires each covered entity to tailor its cybersecurity program to ensure that it appropriately considers

  • The size and complexity of the covered entity
  • The nature and scope of the activities of the covered entity
  • The sensitivity of the information to be protected
  • The cost and availability of tools to improve information security and reduce vulnerabilities
  • The resources available to the covered entity13

Complying with a Cybersecurity Framework

A covered entity’s cybersecurity program is eligible for the safe harbor if it reasonably conforms to:

  • An industry-recognized framework specified in the ODPA
    • Existing federal or state laws under which the covered entity is already regulated
    • A combination of industry-recognized frameworks specified in the ODPA14

Industry Frameworks

The ODPA lists the following industry-recognized frameworks to which a covered entity’s cybersecurity program must reasonably conform:

  • Framework for Improving Critical Infrastructure Cybersecurity, developed by the National Institute of Standards and Technology (NIST)
  • NIST special publication 800-171
  • NIST special publications 800-53 and 800-53a
  • Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework
  • Center for Internet Security Critical Security Controls for Effective Cyber Defense
  • The International Organization for Standardization/International Electrotechnical Commission 27000 Family - Information Security Management Systems15

PCI Data Security Standard (PCI DSS)

A covered entity may also seek a safe harbor if its cybersecurity program reasonably complies with both the current version of the PCI Data Security Standard (PCI DSS) and conforms to the current version of another applicable industry-recognized cybersecurity framework listed above.16

Existing Federal or State Law

A covered entity also may claim the safe harbor if it is regulated by Ohio or the federal government (or both), or is otherwise subject to the requirements of any of the laws or regulations listed below, and the cybersecurity program reasonably conforms to the entirety of the current version of the laws under which it is regulated:

  • The security requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. L. No. 104-191, 110 Stat. 1936 (Aug. 21, 1996))
  • Gramm-Leach-Bliley Act of 1999 (GLBA) (Pub. L. No. 106-102, 113 Stat. 1338 (Nov. 12, 1999))
  • Federal Information Security Modernization Act of 2014 (FISMA) (Pub. L. No. 113-283, 128 Stat. 3073 (Dec. 18, 2014))
  • Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) (42 U.S.C.S. § 201 et seq.)17

Required Cybersecurity Program Updates

Industry Frameworks

If a covered entity relies on an industry-recognized framework for compliance purposes under the ODPA, it must ensure that its cybersecurity program reasonably conforms to any revision of the framework no later than one year after the publication date stated in the revision.18

PCI DSS Standard

If a covered entity relies on the PCI DSS Standard for compliance purposes under the ODPA, it must ensure that its cybersecurity program reasonably conforms to any revision of that standard no later than one year after the publication date stated in the revision.19

Federal or State Law

A covered entity regulated by Ohio or the federal government (or both) must ensure that its cybersecurity program reasonably conforms to any revision of the applicable law or regulation no later than one year after the amendment’s effective date.20

Combination of Frameworks

If a covered entity’s cybersecurity program reasonably conforms to a combination of industry recognized cybersecurity frameworks, or complies with a standard (e.g., PCI DSS), and two or more of those frameworks are revised, the covered entity must ensure that its cybersecurity program reasonably conforms to all of the revised frameworks no later than one year after the latest publication date stated in the revisions.21

Asserting an Affirmative Defense in Ohio

Courts in Ohio consider an affirmative defense to be:

A defense in the nature of confession and avoidance as it admits the plaintiff has a claim but asserts a legal reason that the plaintiff cannot recover on it. An affirmative defense attacks the legal right to bring a claim as opposed to attacking the truth of the claim. It is more than a mere denial or a contradiction of the evidence but is a substantive or independent matter which the defendant claims exempts him from liability even if the facts of the complaint are conceded.22

In Ohio, the defendant must prove an affirmative defense by a preponderance of the evidence.23 As a result, a covered entity bears the burden of proving its cybersecurity program complies with the requirements of the ODPA.

A covered entity should consider taking the following steps to help ensure that its cybersecurity program both complies with the ODPA and supports an affirmative defense against future legal claims resulting from a data breach:

  • Maintain a written cybersecurity policy. Implement and maintain a written policy or policies describing your cybersecurity program for protecting your information systems and nonpublic information stored on those information systems. The policy should address, at a minimum:
    • Information security
    • Data governance and classification
    • Asset inventory and device management
    • Access controls and identity management
    • Business continuity and disaster recovery planning and resources
    • Systems operations and availability concerns
    • Systems and network security
    • Systems and network monitoring
    • Systems and application development and quality assurance
    • Physical security and environmental controls
    • Customer data privacy
    • Vendor and third-party service provider management (as discussed below)
    • Risk assessment
    • Incident response
  • Perform risk assessments. Conduct periodic risk assessments of your information systems sufficient to inform the design of your cybersecurity program. Update your risk assessment as reasonably necessary to address changes to your information systems, nonpublic information, or business operations.
  • Perform penetration testing and vulnerability assessments. Conduct monitoring and testing as part of your cybersecurity program. Develop all testing and monitoring processes in accordance with your risk assessment and ensure that they assess the effectiveness of your cybersecurity program.Include periodic penetration testing and vulnerability assessments as part of your monitoring program.
  • Limit access. As part of your cybersecurity program, you should limit user access privileges to information systems that provide access to nonpublic information and periodically review such access privileges.
  • Develop application security protocols. Ensure that your cybersecurity program uses secure development practices for in-house developed applications that your company uses, and procedures for evaluating, assessing, or testing the security of any externally developed applications that your company uses.
  • Use qualified cybersecurity personnel. Use only qualified cybersecurity personnel employed by your company, an affiliate, or a third-party service provider sufficient to manage your cybersecurity risks and to perform or oversee the performance of the core functions of your cybersecurity program.Provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks. Verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures.
  • Use multifactor authentication. Use effective controls to protect against unauthorized access to nonpublic information or information systems. Multifactor authentication typically means authentication through verification of at least two of the following types of authentication factors:
    • Knowledge factors (e.g., password)
    • Possession factors (e.g., token or text message)
    • Inherence factors (e.g., biometric characteristic)
  • Develop a third-party service provider security policy. Implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers. Ensure that these policies and procedures address:
    • The identification and risk assessment of third-party service providers
    • Minimum cybersecurity practices that third-party service providers are required to meet to do business with you
    • Due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-party service providers
    • Periodic assessment of such third-party service providers based on the risk they present and the continued adequacy of their cybersecurity practices
  • Disposal of data. Ensure the cybersecurity program addresses the periodic secure disposal of certain nonpublic information that is no longer necessary for business operations or for other legitimate business purposes, except where either:
    • You are otherwise required to retain such information by law or regulation.
    • Targeted disposal is not reasonably feasible due to the way you maintain the information.
  • Implement a training and monitoring program. Implement risk-based policies, procedures, and controls designed to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, nonpublic information by such authorized users.In addition, you should provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified in your risk assessment.
  • Encrypt nonpublic information. Implement controls, including encryption, to protect nonpublic information held or transmitted by your company both in transit over external networks and at rest.
  • Develop an incident response plan. Establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event materially affecting the confidentiality, integrity, or availability of your information systems or the continuing functionality of any aspect of your operations. The incident response plan should address:
    • The internal processes for responding to a cybersecurity event
    • The goals of the incident response plan
    • Identifying roles, responsibilities, and levels of decision-making authority
    • External and internal communications and information sharing
    • Remediating any identified weaknesses in information systems and associated controls
    • Documenting and reporting cybersecurity events and related incident response activities
    • Evaluating and revising as necessary the incident response plan following a cybersecurity event.

Chad Perlov is a Content Manager for Lexis Practice Advisor® in the Data Security & Privacy and Intellectual Property & Technology practice areas, specializing in technology transactions, data privacy, e-commerce, and IP/IT in corporate transactions. In his legal career, Chad served as general counsel for a multinational software development and IT solutions company. He has also practiced at large law firms in New York and Sydney, as well as in-house at a well-known manufacturer of household cleaning products. Chad earned his JD from the University of Colorado School of Law, where he was a member of the Colorado Law Review and a research assistant. He is admitted to practice in New York and Colorado.

To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Data Security & Privacy > Data Breaches > Planning > Practice Notes

For a detailed discussion on preparing data breach avoidance and response plans, see


> Data Security & Privacy > Data Breaches > Planning > Practice Notes

For guidance on preparing plans for avoidance of a data breach and how to respond in the event of a breach, see


> Data Security & Privacy > Data Breaches > Planning > Checklists

For assistance in creating a cybersecurity resilience implementation plan, see


> Data Security & Privacy > Cybersecurity Risk Management > Forms

For an example of an internal information security plan, see


> Data Security & Privacy > Cybersecurity Risk Management > Forms

1. Ohio Rev. Code Ann. § 1354.02. 2. Press Release, Ohio Attorney General, Data Protection Act Will Incentivize Cybersecurity to Protect Customer Data (Nov. 3, 2017), available at https://www.ohioattorneygeneral.gov/Media/News-Releases/November-2017/Data-Protection-Act-Will-Incentivize-Cybersecurity. 3.Ohio Rev. Code Ann. § 1354.01(B). 4.Ohio Rev. Code Ann. § 1354.01(A). 5.Ohio Rev. Code Ann. § 1354.01(C). 6.Ohio Rev. Code Ann. § 1354.01(C)(1). 7. Ohio Rev. Code Ann. § 1354.01(C)(2). 8. Ohio Rev. Code Ann. § 1349.19(A)(7)(a). 9. Ohio Rev. Code Ann. § 1349.19(A)(7)(b). 10. See Ohio Rev. Code Ann. § 1354.01(E). 11. Ohio Rev. Code Ann. § 1354.02(A)(1) and (2). 12. Ohio Rev. Code Ann. § 1354.02(B). 13. Ohio Rev. Code Ann. § 1354.02(C). 14. Ohio Rev. Code Ann. § 1354.03. 15. Ohio Rev. Code Ann. § 1354.03(A)(1). 16. Ohio Rev. Code Ann. § 1354.03(C)(1). 17. Ohio Rev. Code Ann. § 1354.03(B)(1). 18. Ohio Rev. Code Ann. § 1354.03(A)(2). 19. Ohio Rev. Code Ann. § 1354.03(C)(2). 20. Ohio Rev. Code Ann. § 1354.03(B)(2). 21. Ohio Rev. Code Ann. § 1354.03(D). 22. R.C. Olmstead, Inc. v. GBS Corp., 2009 Ohio App. LEXIS 5700 (Dec. 18, 2009). 23. Home Sav. Bank v. Loeffler, 2018 Ohio App. LEXIS 4552 (Oct. 15, 2018).