How Ohio’s Safe Harbor Act Protects Your Business – Or Not

Safe Harbor Act, Ohio Data Protection Act

If you are working with an IT Service Provider such as  Intrust, know that you DO NOT have to know about current data protection because we handle it for you. But, you do need to know what the state of Ohio requires to make sure your cybersecurity insurance contract will provide “reasonable” cybersecurity controls.

In 2018, the State of Ohio enacted the Ohio Data Protection Act (SB 220) for businesses to ensure "reasonable" cybersecurity controls are implemented and maintained. It is called the Safe Harbor Act.

It is designed to protect the security and integrity of personal information against anticipated threats, unauthorized access to and gathering information which could lead to  identity theft.

According to Tech Beacon, “the law's protections are noticeably limited in scope to certain types of tort claims, leaving even those businesses that have robust cybersecurity programs vulnerable to statutory violations, such as data breach notification requirements, or claims based in contract, such as a business-vendor dispute.” The law does not dictate requirements, only sets cybersecurity parameters.

Tech Republic reports, “The law allows businesses to determine the appropriate framework to follow based on the individualized needs of the business.” 

The Ohio law also requires the cybersecurity program be adequate when considering:

  • Resources available to the business
  • Size and complexity of the business
  • Nature and scope of the activities of the business
  • The sensitivity of the information 
  • The cost and availability of tools to improve security and reduce weak areas.

If it all sounds a bit mystifying, maybe this will help from JDSupra, “The law operates by incentivizing businesses to develop and maintain a cybersecurity program that ‘reasonably conforms’ to an already existing, industry recognized cybersecurity framework. If the company can prove that it had a compliant cybersecurity program in place at the time of a breach, the company can use the program’s existence as an affirmative defense to certain tort claims.”

So, the bottom line is that the law is helpful, but not a guaranteed protection if you are breached and data is compromised or lost.

Having an experienced MSP such as Intrust as your IT partner allows you to be confident that changes in laws such as these are being covered. We keep watch and let you know if something needs to be changed.

Not a client? No worries. Contact us or book a no-obligation meeting to learn whether Intrust IT is the right IT and cyber security partner for your business.

Intrust Man

Intrust Man

Intrust Man may be small, but he is mighty smart. You can trust this clever cartoon hero to provide news you can use.

Get This Free Resource to Protect Your Business

Checklist: "14 Non-Technical Things You Can Do Today to Protect Your Business from Cyber Crime"

Share this Blog