Web Content Viewer

Senate Bill 220 - The Data Protection Act

A lock in a circle on a circuit board

The  Data Protection Act encourages businesses to voluntarily put together and use strong cybersecurity policies that will protect customer data. Strong policies and definitive actions by businesses will help save customers from the expense, embarrassment, and harm caused by having their personal information stolen by cybercriminals.

The legislation was sponsored in the General Assembly by Senator Bob Hackett (R-London) and former Senator Kevin Bacln (R-Westerville). After being signed into law by former Governor John Kasich, the Data Protection Act became effective November 2, 2018. This means that businesses can receive the benefits of the Data Protection Act for any activities that occur after November 2, 2018.

How Does the Data Protection Act Work?

The purpose of the Data Protection Act is to provide an affirmative defense to a lawsuit that alleges a data breach was caused by a business’ failure to implement reasonable cybersecurity controls.

What is an affirmative defense? An affirmative defense allows a defendant to introduce evidence in a court hearing, that if found to be credible, can negate civil liability, even if the allegations are true.

A familiar example of an affirmative defense that many persons might be aware of is a statute of limitations. A statute of limitations is a rule that requires a lawsuit to be filed in a certain a certain amount of time, such as two years from the date a person is injured. If the injured party then waits for three years to file its lawsuit, the other party cannot be held liable, even if all of the allegations in the lawsuit are true.

Likewise, the Data Protection Act’s affirmative defense works in a similar fashion. If the business follows the requirements of the Data Protection Act, the business will not be found liable for certain claims in the lawsuit, even if the allegations are correct.

It is up to the business claiming the affirmative defense to prove in court that its actions met the requirements of the Data Protection Act.

What Does A Business Have to Do to Receive the Affirmative Defense?

To receive the affirmative defense, a business must implement and maintain a cybersecurity program that reasonably conforms to at least one of 11 industry-recognized cybersecurity frameworks found in the legislation. The National Institute of Standards and Technology defines a cybersecurity framework as a set of guidelines for companies to follow to be better prepared in identifying, detecting, and responding to cyber attacks. A framework also typically includes guidelines on how to prevent and recover from an attack.

The Data Protection Act is Voluntary

It is important to emphasize that the Data Protection Act is voluntary: the decision whether to comply with the statue is left with the business owner. Instead, the Data Protection Act is intended to be an incentive for businesses to achieve a higher level of cybersecurity through voluntary action. In fact, the Data Protection Act specifically says that if a business chooses to not comply with the Data Protection Act, such non-compliance cannot be used against the business in a court proceeding.

How is the Data Protection Act Scalable?

Every business has different cybersecurity needs. According to Fortune magazine, 25 of the largest companies in the world have headquarters in Ohio. However, the United States Small Business Administration indicates that over 939,000 small businesses are based in Ohio as well. Due to this significant difference, the Data Protection Act is written to be “scalable.” In other words, the requirements of the Data Protection Act depend on:

  • The size and complexity of the business;
  • The nature and scope of the activities the business is involved in;
  • The sensitivity of personal information maintained by the business;
  • The cost and availability of tools to improve information security and vulnerabilities; and
  • The resources available to the business.

Which Cybersecurity Frameworks are Included in the Data Protection Act?

The Data Protection Act includes 11 different cybersecurity frameworks that can be tailored to your business needs. The frameworks include: