On this week’s episode of The CAP⋅impact Podcast I talked with one of the members of the CyberOhio Advisory Board that drafted the Ohio Data Protection Act (ODPA), Cleveland State University Cleveland-Marshall College of Law Professor Brian E. Ray. The ODPA takes a unique approach to data privacy and data security compared to the other states that have jumped into this space.
There are essentially three buckets of data privacy laws in the U.S. There are heavily proscriptive and comprehensive laws like California’s CA Consumer Privacy Act. And then there are laws that take either the carrot or the stick approach to data privacy. Ohio is the state to go the carrot route.
ODPA creates a voluntary data privacy standard for companies to adhere to. In return, companies meeting the voluntary standard can claim a safe harbor from tort suits brought against them under Ohio law for data breaches. Companies can do this by either holding themselves to a federal standard that they are already regulated under – such as HIPAA for companies in the healthcare industry – or to a set of industry recognized best practices.
Basically, if a company is a victim of a data and has complied with the rules and regulations under ODPA, that company can assert the ODPA as a defense if a tort case is brought against it under Ohio law. It is worth noting that companies cannot use the law to protect themselves from any criminal liability, or from tort claims brought against them under federal law or another state’s law.
You can learn more about Professor Brian E. Ray on his Cleveland-Marshall School of Law faculty page and you can find his published work here. As always, if you enjoyed today’s conversation please share it with a friend. Or, if you haven’t already, please subscribe to The CAP⋅impact Podcast on your preferred podcast listening app and leave us a positive review and 5-star rating on Apple Podcasts.