What is Ohio’s Data Protection Act (the “DPA”)?
On November 2, 2018, Ohio enacted Revised Code 1354.01, et seq., which is known as the Data Protection Act (the “DPA”). The basic purpose of the DPA is to incentivize businesses to implement and update their cyber security measures. The DPA was launched as part of then Attorney General, Mike DeWine’s, CyberOhio Initiative.
How Does the DPA Work?
The DPA provides a “safe harbor” for covered business entities which are the subject of a data breach. That means that if your business complies with the DPA, and there is a data breach which gives rise to a lawsuit or other legal action alleging failure to implement appropriate cyber security measures, then the DPA can potentially be raised as an affirmative defense.
How Can a Business Comply with the DPA?
A covered business entity can be a limited liability company, limited liability partnership, corporation, sole proprietorship, or other recognized institution, so long as that entity maintains, communicates, or processes personal or restricted information through a system or network. In other words, the business entity must have a computer or cloud based data system. The business entity must do one of the following:
(1) Create, maintain, and comply with a written cybersecurity program that contains . . . safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework . . . ; or
(2) Create, maintain, and comply with a written cybersecurity program that contains . . . safeguards for the protection of both personal information and restricted information and that reasonably conforms to an industry recognized cybersecurity framework . . .
Further, the cyber security program must then do all of the following:
(1) Protect the security and confidentiality of the information;
(2) Protect against any anticipated threats or hazards to the security or integrity of the information;
(3) Protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.
To read the full statute, check out Revised Code, Chapter 1354