H.B. 158 is one of the first Data Privacy laws granting companies who are sued for data privacy breaches an affirmative defense, if they adopt a nationally-recognized security standard. The Bill is in rebuttal to national and international data privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) which place onerous tasks on companies to protect personal information.
Johnson says, “Recently-instituted data privacy regulations such as the GDPR are heavy-handed and can result in debilitating fines that may devastate a business – even those who have taken careful precautions to protect consumers’ data. An event does not always equal negligence. House Bill 158 balances the scales for companies who have done their best to protect consumers’ information.”
H.B. 158 is a collaboration between by Rep. Mark K. Roberts, Johnson and the Attorney General’s office and carves a balance between encouraging companies to protect personal information while offering a defense in the event a data breach happens despite a company’s efforts. Only one similar bill has been passed for Ohio.
Under H.B. 158, a company that followed a national standard of security controls would get an affirmative defense, if sued for a data breach. Companies could choose from a variety of national-standard security requirements to implement such as the NIST series, the Cybersecurity Framework, CIS 20 Critical Controls, or the ISO 27000 series. Those guidelines spell out what a company should do given their budget, their size, and the type of data they process.