Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

August 2019
Ohio’s new Data Protection Act awards companies an affirmative defense if they’ve adopted designated cybersecurity standards.
By Matt Fleischer-Black
IT’S SUMMERTIME. THE LIVING IS EASY, RIGHT? Maybe not for in-house lawyers who have been dealing with data breach scares and worrying about a whirlwind of change in state privacy regulations. They may find it tough to relax. To get away from all that, they might want to take a virtual trip to Ohio, where a new law takes an approach to data protection that companies are likely to find refreshing.
     The Ohio Data Protection Act (ODPA), passed in 2018, offers companies a deal. If a business improves cybersecurity to conform to a “recognized cybersecurity framework,” and maintains that standard, then the ODPA puts the company in a legal safe harbor, where it can block any tort claims against it for a breach of customer data.
     This new law was the first in the nation to use incentives rather than threat of punishment to strengthen cybersecurity. Many corners of the business community have heralded this approach, as has the Conference of Western Attorneys General. This attention comes even though the ODPA applies only to lawsuits under Ohio law or in Ohio courts. Some observers question how many companies the law will help in Ohio, where the data breach docket is usually dormant. Meanwhile, outside of the state, plaintiffs lawyers now may try to use Ohio’s standards to challenge data  breach defendants—the law possibly hurting companies rather than helping.

Inspiring Small Businesses to Act
The ODPA lists 10 standards that qualify a company for the defense. Four are sector-specific federal standards that health care companies, banks and payment card companies may already follow. The other six of these voluntary standards come from nonprofit organizations or the National Institute of Standards and Technology (NIST).
     When a company “reasonably conforms” to one of these standards, the law grants it an affirmative defense to knock down negligence or other tort claims. The company could assert the affirmative defense in a motion as its first action in the case, even before filing its initial answer to the claims.
     The law is all carrot, no stick. The Ohio attorney general gains no new enforcement powers, said John Landolfi, chair of the privacy and data security practice at Vorys Sater LLP. “The legislation specifically states that it does not create a minimum cybersecurity standard that must be achieved,” he explained.
     Corporate cybersecurity managers throughout the country are starting to hear about the ODPA. Vendors of cloud and other information security services, like Microsoft, have started citing ODPA benefits in marketing and training materials for their services. Iowa legislators have introduced a similar bill. The Cybersecurity Working Group of the Conference of Western Attorneys General praised the law, saying that the safe harbor will “allow businesses to view and treat cybersecurity upgrades as investments, not costs.”
     “We were trying to come up with something that was for the mass of nonregulated small businesses,” said Kirk Herath, associate general counsel of Nationwide Mutual Insurance Co. and head of the advisory committee that proposed the law. “We really started out with NIST, because it’s so scalable from the macro. If you’re the small business, here are the 10 things you need to do in general, and those 10 things map into 50 things to do,” Herath explained.
     The law appears to be spurring new and increased cybersecurity effort, as intended, said Brian Ray, who runs the Center for Cybersecurity and Privacy Protection at Cleveland-Marshall College of Law and served on the committee. “I definitely have heard from some several in-house counsel that organizations and companies are actively either adapting or reconfiguring their cybersecurity programs to try to map to the act’s requirements, so that they can, in the event of litigation, take advantage of it,” he said.
     Some of these in-house attorneys found that highlighting the law and its benefits persuaded other managers to move cybersecurity efforts forward. “It has given them leverage within their organizations,” Ray added.

Rewarding Regulated Companies
Herath’s company, Nationwide, is the rare one to face a data breach lawsuit under Ohio law. In 2012, hackers stole the personal information of 1.1 million Nationwide customers. In 2016, the 6th U.S. Circuit Court of Appeals ruled for the plaintiffs/appellants on standing, even without showing identity theft or other misuse of the data. The two sides settled in 2017.
     In addition to addressing the cybersecurity gaps of small business, the ODPA also rewards the compliance efforts that large companies in insurance and other regulated industries already make. At Nationwide, Herath said, “we are examined incessantly. We have about 10 or 12 exams a year from different regulators. At some point, you should get some credit for what you’re already doing well, and spending tens of millions of dollars doing,” he said.   
     Should a company suffer a data breach while believing its security measures were reasonable, it would start defending a lawsuit by providing a detailed attestation of all the steps that it took to conform to a qualifying cybersecurity standard. Company lawyers would add evidence that the company continued to maintain that program up until the breach, pointing to certifications it earned, and move to dismiss the claims.

A Litigation Shield or Not?
On paper, that protection should dissuade class action attorneys from suing. But in real life, said Joseph Lazzarotti, who chairs the cybersecurity and privacy practice of Jackson Lewis LLP, plaintiffs attorneys likely will test an unproven law, and contest the company’s evidence. “There will be some litigation before you escape the litigation,” he said. The very existence of a breach may sway the first judges that hear these cases. That would prompt the judge to grant discovery, which might involve the expense of forensic analysis and expert evaluations. 
     Landolfi of Vorys Sater noted that Ohio’s law requires a company to consistently maintain its cybersecurity. “Showing compliance with this statute is not going to be an easy thing,” Landolfi said. The ODPA also won’t block plaintiffs from filing breach of contract or statutory claims, which their lawyers commonly include in data breach class actions. “I don’t think it will become much of a shield for companies to remove themselves or extricate themselves from litigation,” he concluded.
     Yet a number of lawyers said that the mere existence of Ohio’s affirmative defense would prompt lawyers to sue elsewhere whenever possible. Ohio’s standards, said Brian Ray, may benefit plaintiffs lawyers who sue in other jurisdictions. “What Ohio may have done is create a de facto legal standard for what you have to do for security that, arguably, is higher than what a common-law tort standard might be,” Ray explained.  
     According to Nationwide’s Herath, legislators in at least two other states besides Iowa have been looking into drafting safe harbor laws. He predicted that a handful will adopt similar laws within a couple of years. “The way legislatures work, they will watch a law and see how it’s rolled out and incubated elsewhere,” he said. 
     Iowa’s bill hasn’t progressed very far, but it has drawn lobbyists. Before Ohio’s law passed, plaintiffs attorneys and privacy advocates decried it, arguing that it would make lawsuits too risky and costly for consumers and that the standards weren’t reliable enough security measures to earn this blanket protection. The arguments were familiar to general counsel. “You could throw this [law] into a minor tort reform category,” said Herath, referring to how the policy debate is shaping up.  
     Yet, giving businesses incentives to improve cybersecurity is a commonsense public policy, he contended. Setting clear standards about reasonable data protection is fair for all litigants. Ohio’s law, he said, “is effectively just a marker down on what the standard of care is for cybersecurity.”

Matt Fleischer-Black is a freelance journalist and a former senior reporter at The American Lawyer. He has worked for ProPublica, The National Law Journal, The New York Observer and The Village Voice. He lives in New York.