CSU Cleveland-Marshall College of Law’s Center for Cybersecurity and Privacy Protection Advisory Board member and CyberOhio Chair Kirk Herath led a small group of experts, including Center Director Professor Brian Ray and two other Center Board members, Tim Opsitnick, and Spence Witten, in drafting Ohio’s landmark privacy bill that was announced at a July 13 press conference by Ohio Lt. Governor Jon Husted and several lawmakers.
Lt. Governor Husted previewed House Bill 376, also known as the Ohio Personal Privacy Act (OPPA), at the Center’s annual Cybersecurity and Privacy Protection Conference May 28.
OPPA would establish data rights for Ohioans while requiring businesses to adhere to specified data standards. It would primarily apply to businesses with $25 million or more gross revenue in Ohio or businesses that control or process large amounts of data. The law provides a novel safe harbor against penalties for Ohio businesses that go beyond these basic protections and create privacy programs conforming to the National Institute of Standards and Technology (NIST) Privacy Framework.
OPPA would also change Ohio laws so that businesses that take reasonable precautions and meet NIST’s industry-recommended standards would be afforded an affirmative defense against legal claims. To trigger the affirmative defense provision, businesses must create their own data privacy programs that meet the standards specified in the latest version of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. This affirmative defense encourages businesses to adopt the NIST Privacy Framework that would require all rights and obligations outlined in the bill.
The drafting team was a subgroup of CyberOhio, an advisory committee that is a branch of InnovateOhio, headed by Lt. Governor Husted. In addition to chairing CyberOhio and serving on the Center’s Advisory Board, Herath is an instructor in the law school’s online Master of Legal Studies (MLS) program in Cybersecurity and Data Privacy.
“While Ohio joins over 20 other states that have introduced or passed data privacy legislation, I believe that Ohio’s novel use of the NIST-Privacy framework as the Safe Harbor standard of care makes it the most innovative proposal to date,” said Herath. “It ushers in the use of a national framework that can be a useful model for other states to begin to build a state-based national and uniform privacy standard, without Congressional action.”
“This bill demonstrates that the outstanding work of our Center for Cybersecurity and Privacy Protection and Professor Brian Ray benefits Ohio and the nation through both its academic and applied industry leadership,” said CSU Cleveland-Marshall Dean Lee Fisher.