Ask Reggi Your Question Now
Can you summarize OHRC Chapter 1354?
Commercial Transactions > Businesses Maintaining Recognized Cybersecurity Programs
Short Summary
This legal document pertains to businesses maintaining recognized cybersecurity programs. It defines key terms such as ‘Business’, ‘Covered entity’, ‘Data breach’, ‘Personal information’, and ‘Restricted information’. The document outlines the requirements for covered entities to qualify for an affirmative defense under sections 1354.01 to 1354.05 of the Ohio Revised Code. Covered entities must create, maintain, and comply with a written cybersecurity program that contains safeguards for the protection of personal information or both personal information and restricted information. The cybersecurity program should reasonably conform to an industry recognized cybersecurity framework and aim to protect the security and confidentiality of the information, protect against anticipated threats or hazards, and protect against unauthorized access and acquisition of the information. The appropriateness of the cybersecurity program should be based on factors such as the size and complexity of the covered entity, the nature and scope of its activities, the sensitivity of the information to be protected, and the resources available to the covered entity. If a covered entity satisfies the requirements, it is entitled to an affirmative defense to any cause of action sounding in tort that alleges a failure to implement reasonable information security controls resulting in a data breach concerning personal information or restricted information. The document also specifies the ways in which a cybersecurity program can reasonably conform to an industry recognized cybersecurity framework, including conforming to specified frameworks, security requirements of specific laws and regulations, or complying with the Payment Card Industry (PCI) data security standard and another applicable industry recognized cybersecurity framework. The document does not provide specific penalties for non-compliance.
Whom does it apply to?
Businesses, including financial institutions, operating for profit or not for profit
What does it govern?
Businesses maintaining recognized cybersecurity programs
What are exemptions?
Good faith acquisition of information by employees or agents of covered entities, acquisition of information pursuant to legal processes or regulatory duties
What are the Penalties?
The penalties for non-compliance are not specified.
Jurisdiction
Ohio