Last August, Governor John Kasich signed the Ohio Data Protection Act into law.
The law creates a safe harbor that insulates “covered entities” from tort liability under Ohio state law if they “create, maintain, and comply with a written cybersecurity program” that “reasonably conforms” to one of the specified cybersecurity frameworks (including several NIST and ISO controls, and other relevant laws that may apply such as HIPAA, GLBA, and FISMA).
Being the first of its kind, the law is, by definition, a precedent setter. But how much of an impact will it have on its own?
In short, not much. The scope of the law is limited to liability under Ohio law – and only tort law at that – in Ohio courts. In other words, the law only creates a safe harbor against being sued for negligence or some other form of tort malfeasance in Ohio.
Despite all this naysaying, this law should be good news at least for covered companies already operating in Ohio, right?
Unfortunately, not as much as one may think. In determining whether a company was negligent in a data breach, courts already look at that company’s compliance with industry standards.
The new law doesn’t cut out any steps to asserting such compliance as a defense to negligence. It still forces companies to go to court and litigate whether they were compliant with the named industry standards and thus eligible for the safe harbor – which is very likely what they would have done regardless of the new law.
Granted, the law does insure against Ohio courts increasing their expectations, such that compliance with industry standards is no longer enough, but the likelihood of that happening in the foreseeable future is dubious at best.
The law, then, doesn’t make a lot of immediate waves in the cybersecurity legal landscape. That may change if other states – or more importantly, the federal government – enact similar laws, in which case, Ohio would be the trendsetter for a potential new nationwide standard.
Given that the law only took effect this past November, it remains to be seen how the law will actually play out, or whether it will have any impact whatsoever.