USA - Ohio
whose personal information is involved in data breaches, the Ohio DPA incentivizes Ohio businesses to take steps to protect personal information that they may otherwise not take. Although narrow in scope in that it may apply only after specified allegations are made, the Ohio DPA is unique in that it takes an incentive- based (as opposed to punitive- based) approach to achieve a desired outcome whereby the overall security of consumer data is enhanced through efforts made by companies that process such data to create cybersecurity programs. 2.2.Ohio Personal Privacy Act (OPPA) – Introduced In addition to its novel enactment of the DPA, Ohio is also following in the footsteps of an expanding set of U.S. states – such as California, Connecticut, Colorado, Utah and others - that have enacted comprehensive consumer data privacy legislation. Specifically, in 2021 Ohio introduced House Bill 376, known as the Ohio Personal Privacy Act (“OPPA”), to the Ohio House of Representatives. If ultimately enacted, OPPA would provide consumers with enumerated and hallmark rights pertaining to the use and maintenance of their personal data that are mirrored in the comprehensive data privacy legislation elsewhere in the country. In addition to affording consumers with specific rights pertaining to the processing of their personal data, OPPA would also require businesses
This article explores the core components of both OPPA and the Ohio DPA, assesses the new requirements for Ohio businesses under this emerging framework, and forecasts the new rights Ohioans may soon enjoy pertaining to the protection of their personal information. Governing Data Protection Legislation 2.1.Ohio Data Protection Act (DPA) – Existing In 2018 Ohio took the trailblazing step of enacting the Ohio Data Protection Act (DPA), which provides companies that implement specified cybersecurity programs a legal “safe harbor” in actions against them pertaining to data breaches. Specifically, the Ohio DPA was the first such law in the nation to offer covered entities who implement specified cybersecurity programs an affirmative defense to specific causes of action sounding in tort.[1] Applicable causes of action must be brought under Ohio law or in Ohio court. Additionally, for the affirmative defense to apply, the cause of action must allege “that failure to implement reasonable information security controls resulted in a data breach concerning personal or restricted information.”[2] Given the ever-increasing cadence of data privacy-related litigation stemming from consumer-plaintiffs
[1] Ohio Rev. Code, 1354.02(D) [2] Id.
https://www.mcdonaldhopkins.com/
Made with FlippingBook - PDF hosting