Business Law Blog

New Ohio Data Protection Act Takes Effect

Nov 01, 2018

On August 3, 2018, Governor Kasich signed the Ohio Data Protection Act (“Act”), which provides a new defense against data breach lawsuits for those companies that implement and maintain cybersecurity programs specified criteria. This is the first law of its kind in the United States and demonstrates that Ohio is on the cutting-edge of cybersecurity laws. Unlike other states’ legislative schemes, the Act does not create a minimum cybersecurity standard or impose liability upon companies that do not obtain or maintain practices in compliance with the Act. Rather, the Act seeks to incentivize companies to implement and maintain an effective cybersecurity program. Eligible companies may rely on their conformance to the Act as an affirmative defense against tort claims in data breach litigation. The Act goes into effect on November 2, 2018.

In order to qualify for this new defense, companies must implement a written cybersecurity program designed to (1) protect the security and confidentiality of personal information, (2) protect against anticipated threats or hazards to the security or integrity of personal information, and (3) protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or fraud. The Act acknowledges that there is no “one size fits all” approach to cybersecurity. Thus, the Act offers companies flexibility in order to tailor a cybersecurity program to its industry needs.

If implemented in a manner that conforms to the specified legal requirements, compliance with the Act provides businesses an opportunity to curtail some of the risk associated with a data breach of sensitive information collected.  In deciding whether to take advantage of this opportunity, companies should take into account the ever-increasing number of high-profile data breaches. The Act may change the calculus for many small businesses who desire to avoid the risk of litigation, reputational harm, and other financial costs resulting from data breaches. Companies should note that qualification for this new safe harbor will not be automatic and may be challenging to establish. Additional guidance to businesses may be forthcoming in the months ahead, and it is likely that this will be a hot button issue in the courts.

For questions about the Act or other cybersecurity issues that may impact your business, please contact Day Ketterer at 330-455-0173.


The content of this blog is for informational purposes only and is not intended as legal advice for any purpose. This blog is not intended to present an exhaustive summary of all applicable laws, or to take the place of legal advice.  If you have any questions regarding the law, please contact us for assistance.