Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

The Ohio Data Protection Act and the Quiet Revolution

From: InfoSec News <alerts () infosecnews org>
Date: Tue, 12 Mar 2019 07:48:33 +0000 (UTC)
https://www.cpomagazine.com/data-protection/the-ohio-data-protection-act-and-the-quiet-revolution/

By Scott M. Giordano
CPO Magazine
March 8, 2019
Since the 2018 U.S. state legislative sessions began, at least 12 states have brought into force updated or entirely new cybersecurity legislation. Some were focused on breach notification, bringing to 50 the number of states with breach laws on the books. Others addressed the need for written information security programs, while yet others promulgated information security in a unique way: California, with its requirement for Internet of Things security; Vermont, with regulation of data brokers, and now Ohio is incentivizing the development of information security programs through tort protection.
As a major privacy trend, several states are introducing data protection legislation in their respective 2019 legislative sessions, and some of these bills incorporate elements of other states' data protection statutes. This "cross politization" of data protection and the sheer number of bills currently moving through state legislatures, along with 2018’s new legislation, collectively represent a quiet revolution in data protection practice in the U.S.; in doing so, it also represents a uniquely American approach to solving a societal problem.
Looking at Ohio, early in August of 2018, then-governor John Kasich signed into law the Ohio Data Protection Act.1 The law represented a novel approach to data protection:2 it provides an "affirmative defense" to a "covered entity" against tort claims brought against that entity as a result of a breach of personal information if the entity's cyber security program conforms to industry recognized cybersecurity frameworks or federal regulations cited in the Act.
An affirmative defense is a legal position that, if proven in court, negates a claim brought by a plaintiff and is sometimes referred to as a legal "safe harbor." The Act applies to (1) businesses that process "personal information or restricted information in or through one or more systems, networks, or services located in or outside" of Ohio [emphasis added]; (2) Ohio state institutions of higher education; (3) non-profit organizations; and (4) financial institutions that are chartered by Ohio. 

[...]


--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
Previous By Date Next
Previous By Thread Next

Current thread: