Skip to Content

Bold Move: Ohio and Cybersecurity Safer Harbor (Part 1)


Cybersecurity is an ever-growing concern for public, private, and non-profit sectors. The implications for workers and the general population are enormous. Strong cybersecurity is vital to the protection of our personal information, economic advantage, and overall public safety.

Many states are attempting to address the issues associated with cybersecurity through special initiatives. Some of these include funding for enhanced technology and processes, and stipulating cybersecurity-centric practices, such as implementing proven security frameworks, increasing punitive efforts through higher-cost penalties, and more.

According to the National Conference of State Legislatures upwards of 35 states, the District of Columbia, and Puerto Rico introduced or are strongly considering more than 265 cybersecurity bills or resolutions.

The primary considerations include:

  • Upgrading government security practices.
  • Increased funding for cybersecurity programs and initiatives.
  • Restricting public disclosure of sensitive government cybersecurity information.
  • Increasing awareness for workforce, training, economic development.

The State of Ohio and Safe Harbor

Not all states have been successful in passing legislation, though. While the depth and breadth of these efforts vary by state, Ohio has enacted the Ohio Data Protection Act OH S 220 which addresses certain provisions of the Revised Code relating to safe harbor; provides a legal safe harbor to covered entities that implement a specified cybersecurity program.

Critical Specifications for Ohio's Safe Harbor

In the State of Ohio, safe harbor specifically applies to covered entities (a business that accesses, maintains, communicates, and processes Personally Identifiable Information or "restricted information") that implement, comply, and manage a cybersecurity program that adheres to an industry-recognized cybersecurity framework. There are specific stipulations regarding non-encrypted information that can identify or be traced to regarding an individual.

There are two primary factors:

  1. The law only applies to tort claims, meaning there is no affirmative defense against contract claims, which are common in breach litigation.
  2. The safe harbor only applies to tort claims that are based on Ohio law or brought in an Ohio court.

In order to be eligible, a company must develop, implement, and maintain a risk-based cybersecurity program that follows the following frameworks and regulations:

  1. The NIST Cybersecurity Framework, NIST’s SP 800-171, SP 800-53, or SP 800-53a, FedRAMP, the CIS Critical Security Controls, or the ISO 27000 family;
  2. For regulated entities, the cybersecurity requirements of HIPAA, the Gramm-Leach-Bliley Act, FISMA, or HITECH, as appropriate; or
  3. The PCI Data Security Standard (PCI DSS)in conjunction with one of the other standards listed in (1) or (2).

Next Up:

Part 2 - Selecting and Implementing a Cybersecurity Framework


Chuck Mackey

To enable comments sign up for a Disqus account and enter your Disqus shortname in the Articulate node settings.