Ohio Data Protection Act


Ohio Data Protection Act


Ohio Senate Bill 220

On Sept. 21st, 2018, Ohio Governor John Kasich signed off on “Senate Bill 220” which has been aptly nick-named the Ohio Data Protection Act. Nationally, this is the first bill of its kind to motivate certain businesses to implement a number of specific cyber-security controls by rewarding them with a legal and affirmative defense.

Affirmative Defense, in this case, is a group of facts other than those alleged by the plaintiff or prosecutor that are used to protect business owners should the business be sued due to a cyber infiltration. If the defendant is able to prove that they fall under compliance of these facts, they overcome or mitigate the legal consequences of their otherwise lawful conduct.

Eligible businesses can rely on their congruency to specific frameworks of cyber security as an Affirmative Defense against tort claims in data breach litigation. As such, the state of Ohio is granting legal incentive to said businesses to comply with these cyber security programs.

Organizations that want to take advantage of this incentive must implement a documented cyber security program that was made to protect the security and confidentiality of a small to large company’s environment/environments. To ensure the company has been granted an Affirmative Defense, it must be able to prove that they “Reasonably Conform” to one of the options for cyber security programs.

Listed are the options for which cyber security frameworks are accepted. Businesses must implement at least one and reasonably conform.

– National Institute of Standards and Technology’s (NIST) Cybersecurity Framework
– NIST special publication 800-171, or 800-53 and 800-53a
– Federal Risk and Authorization Management Program’s Security Assessment Framework
– Center for Internet Security’s Critical Security Controls for Effective Cyber Defense
– International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) 27000 Family – Information Security Management Systems Standards.

To fully gain “Affirmative Defense”, a company must adhere to two requirements. One is to “Reasonably Conform” to one of the frameworks listed above. The other requirement is to create a written cyber security program. ComplyUp will soon release a free Information Security Program generator. Once released, ComplyUp can become a one-stop shop for everything you need to be confident about maintaining your Affirmative Defense.

Fortunately, this isn’t as tough a task as it may sound. ComplyUp specializes in helping small, mid-sized, and large companies become NIST 800-171 compliant (this is the least challenging of all listed frameworks and takes up the least amount of time). With our easy to use platform, you are guided step-by-step through the NIST 800-171 process. By the end, you’ll have everything you need should you be required to produce documentation to prove that you “Reasonably Conform” to one of the listed/required frameworks. At a fraction of the cost in comparison with other companies, ComplyUp also produces an elegant user experience and breaks down what each control is actually looking for in layman’s terms. It eliminates the headache of trying to work your way through one of these frameworks on your own and saves your wallet from the damage that other companies would inflict. We offer a 14-day free trial with no credit card required so we can prove that we’re the best option on the market. This is your last stop before receiving Affirmative Defense for your business.