The Ohio Data Protection Act, also known as Senate Bill 220, was signed into law on August 3, 2018 and became effective on November 2, 2018. This act was designed to legally incentivize businesses and organizations to voluntarily implement a cybersecurity program and to:
…provide a legal safe harbor to covered entities that implement a specified cybersecurity program, to allow transactions recorded by blockchain technology under the Uniform Electronic Transactions Act, and to alter the definition of “key employee” under the Casino Gaming Law…
Several cybersecurity frameworks are accepted, with the cybersecurity program “reasonably conforming to the current version of any of the following or any combination of the following”, including:
- National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
- NIST Special Publications 800-53, 800-53A, or 800-171
- Federal Risk and Authorization Management Program (FEDRAMP)
- Center for Internet Security Critical Security Controls (CIS CSC)
- International Organization for Standardization (ISO) / International Electrotechnical Commission’s (IEC) 27000 Family
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule Subpart C
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- Title 5 of the Gramm-Leach-Bliley Act of 1999 (GLBA)
- Federal Information Security Modernization Act of 2014 (FISMA)
- Payment Card Industry standard (PCI) plus another listed framework
The Ohio Data Protection Act is a unique approach that other states may soon follow. Rather than penalizing a business for not being compliant with a specific regulatory framework, they are essentially “dangling a carrot” in order to entice businesses to optionally improve upon their cybersecurity programs by offering legal safe harbor should their business adhere to a specific designated framework. While not perfect, this Act provides some protection for businesses that have decided to take their cyber security program seriously.
What should your business do in order to comply with the Ohio Data Protection Act?
In order to be covered by the Ohio Data Protection Act, a business needs to make sure that their cybersecurity program is compliant with one (or more) of the above regulatory frameworks. Need help? We at Stronghold Cyber Security are regulatory compliance experts, and can help you decide which framework would suit your company best. If needed, we can also write and assist in the implementation of a System Security Plan (SSP), a Plan of Action and Milestones (POAM), as well as other required documents. Just reach out to us at 1-800-378-1187 or via the form below so we can help you get started!