On Friday, August 3, Governor Kasich signed Ohio Senate Bill 220, which acknowledges for the first time the legitimacy of blockchain transactions as enforceable electronic transactions and creates an affirmative defense to tort actions against eligible businesses for claims relating to data breaches. The law goes into effect in 90 days.
Blockchain
Senate Bill 220 acknowledges the legitimacy of blockchain transactions by affirming that both electronic records and electronic signatures may be created through use of blockchain technology. The law does this by modifying the statutory definitions of โelectronic recordโ and โelectronic signatureโ to include references to blockchain technology.
Safe Harbor โ Subject Matter and Scope
In addition to acknowledging the legitimacy of blockchain technology, the law creates an affirmative defense to tort actions brought against eligible businesses that have suffered a data breach.
To be eligible for the affirmative defense, which the law refers to as a โsafe harbor,โ a business must have adopted a cybersecurity program that reasonably conforms to the lawโs requirements. The safe harbor applies to any tort actionโbrought either under the law of the State of Ohio or in the courts of the State of Ohioโclaiming that a covered entityโs1 failure to implement reasonable information security controls resulted in a data breach involving โpersonal informationโ or โrestricted information.โ
Although the term โpersonal informationโ has the same narrow meaning given to it by Ohioโs data breach law, the term โrestricted informationโ is more expansive and includes any information that โcan be used to distinguish or trace [an] individualโs identity or that is linked or linkable to an individual,โ if such information is not encrypted, redacted or altered in a way to make it unreadable. For example, if an unencrypted database contains only an individualโs address, birthdate, and driverโs license number, that information would not be considered personal information, nor would it be subject to Ohioโs data breach notification requirements because it did not include the personโs name. However, this information would be deemed โrestricted information.โ This broad definition of โrestricted informationโ was likely included so that the safe harbor could be applied to claims for damages resulting from identity theft and similar fraudulent activities, even if Ohioโs data breach notification law was not implicated.
Requirements for the Safe Harbor
To qualify for the safe harbor, a business must create, maintain, and comply with a written cybersecurity program that contains safeguards for the protection of personal information, restricted information, or both. If a covered entityโs program is designed to protect only personal information and not restricted information, the safe harbor protections will not apply to claims relating to a data breach affecting restricted information.
The scale and scope of a covered entityโs cybersecurity program is to be determined based upon several factors, including the size of the covered entity, the nature and scope of the activities of the covered entity, the sensitivity of the information to be protected, and the cost and availability of tools to improve information security and reduce vulnerabilities. In addition, the cybersecurity program must โreasonably conformโ to the current version of one of several government- or industry-recognized cybersecurity frameworks specified by the law. In the event that a chosen cybersecurity framework is updated, the business has up to a year to bring its existing cybersecurity program into reasonable compliance.
Practical Considerations
Although blockchain is not new to Ohio, the new law should provide assurances to businesses hesitant to use the technology because of concerns about its legitimacy.
Although implementing a written cybersecurity program that meets the requirements of the law will involve an investment of a businessโs time, money and other resources, the potential benefits are significant. The safe harbor provides a path businesses may follow to mitigate the risk that a plaintiff can successfully bring a claim that he or she was harmed by lax data security practices. For plaintiffs who are not deterred by the safe harbor, time will be spent litigating whether a covered entity has met the requirements of the safe harborโi.e., whether the covered entity โreasonably conformedโ to its chosen security framework in view of the nature and scope of its activities, the sensitivity of the data, and the cost and availability of tools to improve information security and reduce vulnerabilities. However, for businesses that successfully implement a written cybersecurity program that reasonably conforms to the lawโs requirements, the safe harbor will be game-changer in lawsuits for damages resulting from a data breach.
1 Covered entities include both for-profit and non-profit businesses, regardless of whether such businesses are located within Ohio.