U.S. Federal and State Cases, Codes, and Articles
Select a tab to search United States Cases, Codes, or Articles
U.S. Federal and State Cases, Codes, and Articles
Select a tab to search United States Cases, Codes, or Articles
Search for cases
Indicates required field
Search by keyword or citation
Indicates required field
Search blogs, article pages, and cases and codes
Indicates required field
Current as of January 01, 2024 | Updated by FindLaw Staff
(A) A covered entity seeking an affirmative defense under sections 1354.01 to 1354.05 of the Revised Code shall do one of the following:
(1) Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework, as described in section 1354.03 of the Revised Code; or
(2) Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of both personal information and restricted information and that reasonably conforms to an industry recognized cybersecurity framework, as described in section 1354.03 of the Revised Code.
(B) A covered entity's cybersecurity program shall be designed to do all of the following with respect to the information described in division (A)(1) or (2) of this section, as applicable:
(1) Protect the security and confidentiality of the information;
(2) Protect against any anticipated threats or hazards to the security or integrity of the information;
(3) Protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.
(C) The scale and scope of a covered entity's cybersecurity program under division (A)(1) or (2) of this section, as applicable, is appropriate if it is based on all of the following factors:
(1) The size and complexity of the covered entity;
(2) The nature and scope of the activities of the covered entity;
(3) The sensitivity of the information to be protected;
(4) The cost and availability of tools to improve information security and reduce vulnerabilities;
(5) The resources available to the covered entity.
(D)(1) A covered entity that satisfies divisions (A)(1), (B), and (C) of this section is entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information.
(2) A covered entity that satisfies divisions (A)(2), (B), and (C) of this section is entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information or restricted information.
Cite this article: FindLaw.com - Ohio Revised Code Title XIII. Commercial Transactions § 1354.02 - last updated January 01, 2024 | https://codes.findlaw.com/oh/title-xiii-commercial-transactions/oh-rev-code-sect-1354-02/
FindLaw Codes may not reflect the most recent version of the law in your jurisdiction. Please verify the status of the code you are researching with the state legislature or via Westlaw before relying on it for your legal needs.
A free source of state and federal court opinions, state laws, and the United States Code. For more information about the legal concepts addressed by these cases and statutes, visit FindLaw's Learn About the Law.
Get help with your legal needs
FindLaw’s Learn About the Law features thousands of informational articles to help you understand your options. And if you’re ready to hire an attorney, find one in your area who can help.
Search our directory by legal issue
Enter information in one or both fields (Required)