Ohio Law Provides Legal Safe Harbor for Compliant Cybersecurity Programs

Posted on 02-21-2019

By: Chad Perlov - LEXIS PRACTICE ADVISOR

THIS ARTICLE DISCUSSES THE OHIO DATA PROTECTION Act’s (ODPA) new legal safe harbor against data breach claims and how to comply with the requirements set out in the statute. Effective November 2, 2018, businesses and nonprofit entities that create and maintain a cybersecurity program in accordance with the ODPA’s requirements can assert their compliance as an affirmative defense to any tort action brought in Ohio alleging that the failure to implement reasonable information security controls caused a data breach.1

Ohio is the first state to incentivize entities to adopt strong cybersecurity practices, rather than punish them for failing to adhere to a specific regulatory framework.2 Entities are eligible for the safe harbor if they create, maintain, and comply with a cybersecurity program that, among other things, reasonably conforms to one of the industry-recognized cybersecurity frameworks listed in the OPDA.

Entities Eligible for the Safe Harbor

The ODPA applies to any business that accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside of Ohio (covered entity).3

To read the full practice note in Lexis Practice Advisor, follow this link.


Chad Perlov is a Content Manager for Lexis Practice Advisor® in the Data Security & Privacy and Intellectual Property & Technology practice areas, specializing in technology transactions, data privacy, e-commerce, and IP/IT in corporate transactions. In his legal career, Chad served as general counsel for a multinational software development and IT solutions company. He has also practiced at large law firms in New York and Sydney, as well as in-house at a well-known manufacturer of household cleaning products. Chad earned his JD from the University of Colorado School of Law, where he was a member of the Colorado Law Review and a research assistant. He is admitted to practice in New York and Colorado.


Related Content

For a detailed discussion on preparing data breach avoidance and response plans, see

> DATA BREACH PLANNING AND MANAGEMENT

> Data Security & Privacy > Data Breaches > Planning > Practice Notes

For guidance on preparing plans for avoidance of a data breach and how to respond in the event of a breach, see

> DATA BREACH AVOIDANCE AND RESPONSE PLAN CHECKLIST

> Data Security & Privacy > Data Breaches > Planning > Checklists

For assistance in creating a cybersecurity resilience implementation plan, see

> CYBERSECURITY RESILIENCE IMPLEMENTATION PLAN

> Data Security & Privacy > Cybersecurity Risk Management > Forms

For an example of an internal information security plan, see

> WRITTEN INFORMATION SECURITY PLAN

> Data Security & Privacy > Cybersecurity Risk Management > Forms

1. Ohio Rev. Code Ann. § 1354.02. 2. Press Release, Ohio Attorney General, Data Protection Act Will Incentivize Cybersecurity to Protect Customer Data (Nov. 3, 2017), available at https://www.ohioattorneygeneral.gov/Media/News-Releases/November-2017/Data-Protection-Act-Will-Incentivize-Cybersecurity. 3.Ohio Rev. Code Ann. § 1354.01(B).