https://www.cpomagazine.com/data-protection/the-ohio-data-protection-act-and-the-quiet-revolution/
By Scott M. Giordano
CPO Magazine
March 8, 2019
Since the 2018 U.S. state legislative sessions began, at least 12 states have
brought into force updated or entirely new cybersecurity legislation. Some were
focused on breach notification, bringing to 50 the number of states with breach
laws on the books. Others addressed the need for written information security
programs, while yet others promulgated information security in a unique way:
California, with its requirement for Internet of Things security; Vermont, with
regulation of data brokers, and now Ohio is incentivizing the development of
information security programs through tort protection.
As a major privacy trend, several states are introducing data protection
legislation in their respective 2019 legislative sessions, and some of these
bills incorporate elements of other states' data protection statutes. This
"cross politization" of data protection and the sheer number of bills currently
moving through state legislatures, along with 2018’s new legislation,
collectively represent a quiet revolution in data protection practice in the
U.S.; in doing so, it also represents a uniquely American approach to solving a
societal problem.
Looking at Ohio, early in August of 2018, then-governor John Kasich signed into
law the Ohio Data Protection Act.1 The law represented a novel approach to data
protection:2 it provides an "affirmative defense" to a "covered entity" against
tort claims brought against that entity as a result of a breach of personal
information if the entity's cyber security program conforms to industry
recognized cybersecurity frameworks or federal regulations cited in the Act.
An affirmative defense is a legal position that, if proven in court, negates a
claim brought by a plaintiff and is sometimes referred to as a legal "safe
harbor." The Act applies to (1) businesses that process "personal information
or restricted information in or through one or more systems, networks, or
services located in or outside" of Ohio [emphasis added]; (2) Ohio state
institutions of higher education; (3) non-profit organizations; and (4)
financial institutions that are chartered by Ohio.
[...]
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
