Ohio Attorney General Mike DeWine has signaled his continuing support for a new Ohio law that would promote industrywide cybersecurity protections for consumers. Senate Bill (SB) 220, the Data Protection Act, encourages businesses to voluntarily adopt cybersecurity controls and best practices to protect consumer data.
The Data Protection Act provides businesses ten suggested cybersecurity frameworks based on industry-recognized programs. These frameworks are derived from existing federal laws, such as the Health Insurance Portability and Accountability Act, as well as reports by third-parties such as the National Institute of Technology and Science. While participation is optional, businesses that implement one of these frameworks will be entitled to a legal safe harbor in the event of a data breach lawsuit alleging the company failed to implement reasonable information security controls.
The Data Protection Act is the first piece of legislation being introduced as a result of Attorney General DeWine’s CyberOhio Initiative. CyberOhio was launched in 2016 as a state-sponsored forum to promote collaborative talks on cybersecurity initiatives between industry professionals and the government.
SB 220 has passed the Senate and is currently scheduled to go before the Ohio House of Representatives for further consideration. Amid mounting concerns relating to consumer privacy and data protection, the Bill will likely receive extensive discussion but avoid strong opposition preventing its passage. New York’s SHIELD law, which provides a similar safe harbor for entities in certified compliance with one of several preordained cybersecurity frameworks, has enjoyed legislative support across both sides of the aisle and may prove instructive on what can be expected with Ohio’s Data Protection Act.
Be sure sure to follow M&S Compliance Now as we continue to monitor and share the latest developments and potential impact of SB 220 on organizations conducting businesses with Ohio consumers.