Ohio’s Data Protection Act: A Cooperative Approach to Cyber Legislation


Ohio’s recent enactment of a new cybersecurity law could provide a blueprint for other states to pass similar cyber legislation. In a political climate dominated by the fear of excessive government oversight, an alternative route for states to implement new cybersecurity policy is through voluntary, incentive-based laws.

Cooperative versus Coercive Cybersecurity Legislation

Jeff Kosseff, in the illuminating article “Defining Cybersecurity Law,” talks about the dichotomy between coercive and cooperative aims underlying cybersecurity legislation. The idea behind coercive lawmaking is legislation intended to deter certain behavior. In the context of cybersecurity, a coercive law would deter inadequate data protection practices. An example of a coercive cybersecurity law is Massachusetts’ data security law (Chapter 93H and 201 CMR 17.00). This law requires all businesses in possession of personal information on Massachusetts residents to enact minimum security standards such as a written information security program (“WISP”).

Cyber Legislation based upon the principle of cooperation, on the other hand, would be a law that incentivizes good cybersecurity behavior. An example of a cooperative cyber law is Ohio’s Senate Bill 220, the “Data Protection Act”. The Data Protection Act was the result of Ohio Attorney General Mike DeWine’s CyberOhio, a group of selected stakeholders tasked with creating cybersecurity initiatives that help Ohio’s businesses fight back against cyber-attacks. The Ohio Data Protection Act offers businesses possible protection against data breach liability. To be more specific, businesses that implement and maintain a cybersecurity program in compliance with certain cybersecurity frameworks like NIST’s (National Institute of Standards and Technology) provides a defense against lawsuits filed as a result of data breaches. The language of the bill speaks to the legislature’s intent to incentivize – not deter – a more proactive approach to data protection.

“This act is intended to incentivize and to encourage businesses to achieve a higher level of cybersecurity through voluntary action . . . and [was] not intended to, create a minimum cybersecurity standard that must be achieved.”

On August 3, 2018, Ohio Governor John Kasich signed the Data Protection Act into law. The law goes into effective in November of 2018.

A Blueprint for Other States’ Cyber Legislation?

For state legislatures like Tennessee’s that takes great pride in maintaining a business-friendly reputation, the cooperative rather than coercive element of Ohio’s Data Protection Act represents an intriguing option for proposing similar cybersecurity legislation. Over the past few years, all fifty states successfully passed basic data breach laws. However, certain states like California, Massachusetts, and Oregon have gone even further and enacted data security laws that impose certain requirements on companies that own or process residents’ personal information. As opposed to the Ohio Data Protection Act’s voluntary nature, these data security laws mandate certain behavior.

Some lawmakers are averse to cyber legislation that requires too onerous of requirements (e.g., Congress). The argument over excessive legislation is that too much of it stunts free enterprise and innovation. Yet, laws that incentivize the voluntary practice of adequate cybersecurity measures allays these concerns. Rather, cooperative-based laws benefit both businesses and consumers. From a business perspective, compliance with such laws is low-risk, high reward. From a consumer perspective, better cybersecurity reduces the expense and harm associated with the theft of personal information. In all, a cooperative law like the Ohio Data Protection act is a win-win for all parties.

Conclusion

The increasing sophistication of cyber actors and threats calls for proactive responses. Rather than sit back and do nothing, Ohio is an example of a state which prescribes to the attitude of “something is better than nothing”. Other states would be wise to take notice and emulate this legislative approach to cybersecurity.