Login | April 21, 2019

Ohio passes first-in-the-nation data protection law

Technology for Lawyers

Published: October 26, 2018

A new Ohio law is the first in the country to try to provide protections to businesses if they are sued following a data breach.

That is, if the business conforms to the best available data security protocols for its type of business.

The bill, Senate Bill 220, was entitled the “Data Protection Act.” It is an interlineation to current law, housed at Ohio Rev. Code 1354.01 to 1354.05. The law’s main sponsor was Sen. Robert Hackett (R-London), and cosponsored by Sen. Kevin Bacon (R-Minerva Park), although most of the heavy lifting was done by Hackett’s staff, particularly Stephanie Kaylor.

I got to talk with both senators about the law and came away with a few notes.

The law originally attempted to come up with a “safe harbor” for tort actions against businesses that experienced a data breach, as long as those businesses had the appropriate security in place. This seemed similar to the admonition that attorneys use best practices in their own data security practices as a way of conforming to ethics requirements.

The law gives a long and flexible list of how different businesses can conform to these best practices. Hackett said that, in working through the details of the legislation, it became clear early on that “different kinds of businesses have different uses of data and different levels of security No standard fits all companies, and we looked at over 300.”

A bank, doctor’s office or insurance company, for instance, have a different level of information than something like a candle shop.

Because of this, the new law requires a business to conform to the appropriate data security of its kind of business, and gives numerous examples of how to do this (which can be read in the law—I’m not going to get into all of that here).

The genesis of this law is both surprising and illuminating and comes from an unexpected angle.

Bacon is an attorney (also term limited out after the end of this year). Hackett is not. Nor is he a techie. He’s an insurance guy, and he approached this bill from the point of view of risk management, rather than the law or the technology. Which I think is brilliant, farseeing and should be the way to go in the future of these kinds of laws.

Hackett said that he is on the executive board of the National Council of Insurance Legislators (NCOIL), which asked him to take the lead on creating legislation that could help reduce the risk exposure of companies experiencing a data breach.

That means that it is now clear to the vast insurance industry that data breach risks are something that have to be taken into account in every insurance transaction, the same as the relative safety of a car is taken into account in every car insurance policy.

And that is really good.

But because this is new territory, the specific language of the new law may not really provide the initial idea of a “safe harbor” for victims of a breach, as both senators agreed. The language of the bill isn’t strong enough to do that, as we’ll see in a minute. But we all agreed that this is a good start.

Specifically, the language in question states that a defendant in a data breach case is “entitled to an affirmative defense” of conformance with the appropriate security standards. But there is no language in the law that states exactly what effect that affirmative defense would have at trial. At the very least, that affirmative defense is not specifically exculpatory to any degree.

So it’s not really a safe harbor, a point that Bacon agrees with as he points to the process of making a law out of an idea.

“There was a lot of negotiation that went on with the language,” said Bacon. “So my feeling is that, as the law is implemented, that future legislation can work with weaknesses that come up in court cases.” Courts will also be able to decide exactly what effect this affirmative defense will have as the law progresses through different litigation.

But IMHO this is really a good start. “At least it will make every company in the state aware of computer security,” said Hackett.


*Also note that the new law doesn’t change the 2006 Ohio data breach notification law (Ohio Rev. Code 1349.19), which remains in place.

If you would like to read the entire law as enacted, it is here: