A Deep Dive into the Ohio Data Protection Act – Your Questions, Answered.

NOTE: While the webcast and our published materials are an analysis of this new law, they are not legal advice; for legal advice on this subject please seek legal counsel. Some of these questions have been edited for clarity.

Jurisdiction Questions

Question: Does this protection only exist if you’re an Ohio business? Can you explain the protection for those of us that are not Ohio companies?
Answer: This protection applies to what the Act calls a “covered entity,” a business that “accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside this state.” Based on this reading, the safe harbor could apply to any business, including those outside of the U.S.

Question: Are the recommendations good for Ohio only or can they be applied for other states as well?
Answer: The recommendations benefit residents of Ohio; other states would have to pass their own version of the law.

Question: How would a challenge from another state (e.g. California) be addressed by this kind of defense? Would California recognize some kind of reciprocity in recognition of the certification provided by Ohio?
Answer: It’s unclear why another state would challenge this safe harbor or what legal theory they would use, given that it’s designed to protect Ohio residents. If another state wanted to offer reciprocity, almost certainly it would have to enact the same type of legislation.

Question: Are the recommendations good for OH only or can they be applied for other states as well?
Answer: At the moment, only those that access the personal or restricted information of Ohio residents can benefit. However, there is nothing preventing other states from enacting the same legislation and others may well copy Ohio’s approach.

Question: How will this safe harbor work in the context of an interstate lawsuit? For example, the entity is located outside of Ohio but processes the data of data subjects in Ohio? And self-regulatory frameworks presume the responsibility of compliance falls on the entity applying it. How is the implementation of self-regulatory framework going to be assessed in the context of a legal proceeding?
Answer: The most likely scenario is that, in the event of a breach, a lawsuit on behalf of Ohio residents would be filed in Ohio state or federal court (assuming the criteria for federal jurisdiction can be met). The defendant entity would, as part of its defense, offer proof of its compliance with the framework or regulation in question, and then a judge would decide whether the standard was met. If so, the tort action would not be allowed to proceed. Actions on other theories (breach of warranty, etc.) could still proceed, however.

Other Questions

Question: What is the effective date for Ohio Act?
Answer: November 2, 2018.

Question: How would the Ohio Act protect its residents in the Equifax breach (note: Equifax is both PCI and ISO 27K certified)?
Answer: If you’re referring to the attorney general’s office, it would likely bring an action based not on the tort of negligence but on unfair or deceptive business practices. If Equifax met the requirements for the safe harbor, they could argue that there was no deception or unfairness. It’s an interesting question.

Question: Do you have any thoughts on how SB220 compares to New York State’s Department of Financial Services Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500)?
Answer: Part 500 goes beyond what GLBA requires in terms of controls mandated. Arguably, if an entity was certified by a third party as compliant with Part 500, the entity could also claim compliance with the ODPA (assuming the personal data in question is covered by Part 500).

Question: How does this Ohio Act/law impact contracts with California business/government entities? Has anyone identified appropriate contract language/provisions for this special case?Answer:  There’s no particular impact for contracts with California entities that don’t apply to those in other states. A possible appropriate clause is to require proof when a business partner or other third party claims safe harbor protection and to require notification if the state of compliance fails to meet the requirements of the Act for any reason.

Question: Could you explain what makes an affirmative defense different from a reply to a legal complaint that asserts compliance with a self-regulatory framework?
Answer: An affirmative defense, if proven, negates a plaintiff’s charge of negligence. A reply denying the allegations of a complaint because of compliance with a framework would still have to be resolved during litigation and even then might not be successful, depending on factors such as the risk involved, the nature of the personal data, etc.

Question: Can this framework be “influential” on other State’s laws [e.g. CCPA]?
Answer: If the Act functions more or less successfully over time, then it could become the persuasive authority.

Question: Should we require Ohio compliance for third-party service providers such as Azure, AWS, and Software-as-a-Service providers?
Answer: Given how common data protection requirements are for third parties (e.g. those in the GDPR), this is a sound approach. Many, if not most, SaaS providers claim compliance with major data protection regulations.

Question: What advice do you have for financial institutions who are already required to comply with HIPAA/HITECH and GLBA?
Answer: While we can’t give legal advice, we can point out that if your “cybersecurity program reasonably conforms to the entirety of the current version of” one of the statutes cited in §1354.03(B)(1) and can demonstrate it, ostensibly you would receive the safe harbor benefit.

Question: Are ISO and SOC considered valid cybersecurity frameworks? If the organization does not process any credit cards, do they need to still be PCI-DSS compliant?
Answer: The ISO 27000 family of frameworks is one of the listed acceptable frameworks. If an entity does not process payment cards, that PCI-DSS would not be relevant.

Question: In a smaller non-public company does SOC 2 Type 2 suffice or do we have to get NIST, etc. certified?
Answer: Potentially, yes, but it depends on how the artifacts that the auditors are examining line up with the requirements of the framework or regulation in question. A crucial aspect of obtaining the safe harbor benefit is being able to prove compliance with one of the frameworks or regulations, as applicable, and proper documentation is key to that.

Question: Is the Data Protection Act a set of optional guidelines for protection from lawsuits or is it providing rules that businesses must abide by?
Answer: It is optional.

A Deep Dive Into the Ohio Data Protection Act

Got more questions? Contact Us