FTC Defense Lawyer Discusses Ohio’s New Data Protection Act
As previously blogged about here, digital marketers must take care to stay abreast of domestic date privacy legislation. In fact, at a time with the tech industry is pushing for federal privacy legislation, California, Colorado and Vermont have respectively enacted privacy, cybersecurity and data broker disclosure laws.
Add Ohio to the mix.
Effective November 1, 2018, the Ohio Data Protection Act will affords companies that access, maintain, communicate or process personal information (as defined in Ohio Revised Code 1349.19) or restricted information (unencrypted information about an individual that can be used to distinguish or trace the individual’s identity) that implement industry recognized security measures (e.g., written cybersecurity protocols and privacy controls) a defense in the event of a data breach.
Such security measures must conform to specifically designated security standards and industry-specific privacy laws (e.g., HIPPA, GLBA, etc.) appropriate to a business’ size and activities, and be reasonably designed to safeguard personal information and minimize vulnerabilities.
The ODPA applies to any “tort that alleges or relates to the failure to implement reasonable information security controls, resulting in a data breach,” It does not apply to contract actions. The law is also distinguishable from the new California and Colorado legislation in that the Ohio law is voluntary in nature.
The ODPA is, to some extent, similar to the Federal Trade Commission’s “Start With Security” guidance om that what is reasonable may depend on the size and nature of business operations. However, basic policy considerations consistently apply. Do not collect sensitive information that is not needed. Protect the information that is maintained. Do not use personal information when it is not necessary. Retain information only as long as a legitimate business need exists. And, train staff to carry out policies and ensure that they are following through.