Data Privacy Lawsuits in Ohio

Data privacy management is the system that a business or another entity uses to ensure the privacy and safety of the data it collects in the course of its operations. Data privacy management would involve an organization’s privacy framework and the tools it employs to protect their customers’ right to privacy. A data privacy management system would also include features to educate and inform customers and allow them to control their data.

Importantly, it would also have to comply with all applicable Ohio and federal laws and regulations that govern how businesses collect, use, store, share and sometimes sell the data they collect from consumers.

The concern that consumers have is that their data can be shared with bad actors and criminals, making them subject to identity theft and other types of theft and consumer fraud.

Currently there is no comprehensive privacy law in Ohio. The Ohio Personal Privacy Act (OPPA) has been proposed, but has not been adopted. Therefore, businesses must stay up to date with and obey other existing state and federal laws.

Among the Ohio laws now in effect that protect the privacy of consumer data are the following:

• Credit Card Recording Act: This act bans businesses from distributing the sensitive financial data of consumers for marketing purposes. Among the sensitive data it protects are Social Security numbers and full credit card details. Businesses are allowed only the right to store the information for purposes that do not involve marketing.
• Credit Card Truncation Act: This act requires businesses to list only five numbers of a consumer’s credit or debit card number on a purchase receipt. It also prohibits entities from including the card’s expiration date on a receipt.
• Ohio Data Protection Act (ODPA): This law does not require businesses to employ rigorous cybersecurity practices to protect sensitive consumer data from data breaches.
  • It does provide an affirmative legal defense to companies that do this in the event they are sued by a customer for their failure to protect their personal data from a data breach.
• The Ohio Security Breach Notification Act: It requires organizations to notify consumers who have been the victims of a data breach within 45 days of discovering a breach that involves their personal or sensitive information.
  • Entities are allowed the choice of mailing, emailing, or telephoning individuals to tell them of the breach. If a breach affects over 1,000 Ohio residents, the three credit reporting agencies, Experian, Equifax and TransUnion, must be notified as well.

Ohio recognizes certain cybersecurity frameworks as sufficient to provide them with a valid legal defense in any lawsuit alleging poor information security controls if they adopt and maintain compliance with their standards. They are:

• The National Institute of Standards and Technology (NIST)
• The Center for Internet Security Controls (CIS)
• The Payment Card Industry Data Security Standard (PCI DSS).

If an organization can prove that it complied with the relevant standards, it can defeat civil liability in Ohio’s state courts. The Ohio law requires courts to consider an organization’s size, complexity, and resources when determining whether it has complied as necessary.

An Ohio lawyer consultation would help a person understand the complexity of data privacy laws in that state. It would help a business with compliance with legal requirements. It would also help an individual understand their rights.

There are also several federal laws that provide consumers with privacy protections as follows:

• Health Insurance Portability and Accountability Act (HIPAA): This federal law applies to businesses in the healthcare industry that deal with the Protected Health Information (PHI) of individuals. These businesses must comply with the HIPAA nationwide and protect people’s private medical information.
• Children’s Online Privacy Protection Act (COPPA): This federal law focuses mainly on protecting the personal data of minors and the sensitive personal data of minors under 13 years of age across the US. Hence, businesses that collect and manage the data of minors must use practices that comply with COPPA.
• Gramm-Leach-Bliley Act (GLBA): Businesses that operate in the financial industry may have to comply with the GLBA. The GLBA requires financial institutions to inform customers about their data-sharing practices. They must also protect their customers’ sensitive information.
• Fair Credit Reporting Act (FCRA): The FCRA governs consumer credit reporting. It requires businesses to ensure that credit data is accurate and secure.

Of course, the Fourth Amendment to the U.S. Constitution promises individuals in the U.S. the right “to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.”

Courts have interpreted the 4th Amendment to give Americans a reasonable expectation of privacy in such domains as their places of residence and certain areas of their vehicles. It has also been interpreted to extend to electronic data and digital privacy, the information and data that people generate through such technologies as cell phones, email and wearable devices.
Generally, the government needs a warrant to access a person’s private personal digital information.

However, the 4th Amendment applies only to governments and does not constrain private entities, e.g. private businesses. Federal and state laws must be used to give people the protection they need in the private sector.

What Are Some Common Data Privacy Violations?

Some of the more common data privacy violations that individuals experience are as follows:

• Unauthorized Collection and Use: An entity may collect and use a consumer’s data without their knowledge or without their consent.
• Failure to Secure Stored Data: An entity may fail to use adequate security practices so that data is leaked or accessed by unauthorized entities, e.g., hackers.

Of course, other violations are possible.

What Data Must Ohio Businesses Protect under Privacy Laws?

Entities should protect the following information:

• Names, addresses, phone numbers, Social Security numbers
• Financial data such as credit card and bank account numbers, payment histories
• Medical records and health-related data what would allow identification of an individual
• IP addresses, online account credentials, and data collected through cookies and other tracking technology.

When Can an Ohio Business Be Sued for Data Privacy Violations?

An Ohio business can be sued for data privacy violations, often referred to as “data breaches,” if the individual who sues them can prove that they were harmed by any breach. In other words, an individual would not sue a company or other organization just because they experienced data breaches, e.g., data was hacked by an unauthorized party. The victim must have suffered measurable harm.

Data privacy lawsuits would allege breach of contract, negligence, and/or violations of privacy laws. If the victim had a non-disclosure agreement with the party they sue that applies to the situation and was breached, they would allege breach of contract with respect to that agreement.

Again, they would need to prove that the data privacy violation was the direct cause of harm to themselves, generally harm that can be quantified.

Are There Any Legal Remedies for Data Privacy Legal Issues?

The legal remedies would be an award of compensatory damages. This would be an amount of money that would compensate the victim for their financial losses. Compensatory damages would also compensate the victim for any expenses they incurred in trying to mitigate their damages, i.e., minimize their losses.

Under certain state or federal laws, a victim may be able to recover their attorney’s fees and court costs.

If an individual suffers emotional injury, such as anxiety, fear, depression, and loss of enjoyment in life, they may claim infliction of emotional distress. They would need to have solid evidence of their suffering, such as medical records of treatment by a physician, and an expert witness might need to testify about the victim’s emotional distress.

If a business has not changed their practices so as to prevent a continuing exposure of their customers’ personal private data, then an individual may want to go to court to get an injunction. An injunction is a court order that directs a party to do or cease doing some activity or action.

The Ohio Attorney General (AG) enforces the state’s data privacy protection laws. An individual who believes that a company has violated their right to the privacy of their data may file a complaint online through the AG’s website. The AG’s office may investigate their complaint and take legal action against the company that committed the violation, if necessary.

Some examples of violations that may violate Ohio laws include the following:

• Failing to notify the consumer of a data breach that involves their sensitive personal information within the required 45-day notice period
• Including their full credit card or debit card number on a purchase receipt
• Selling their financial information to a third party without their consent.

How Can Ohio Businesses Reduce the Risk of Data Privacy Lawsuits?

Reducing the risk of data privacy lawsuits would undoubtedly involve consulting experts in the field of cyber security or employing individuals who are well-educated and trained in cyber security. These individuals could advise the business about privacy policies that comply with both Ohio and federal laws.

A business would want its consultants and employees to conduct regular data privacy risk assessments in which they would look for security vulnerabilities and develop strategies for addressing them. They would want to consult an Ohio lawyer about staying up-to-date with state and federal laws and regulations and what they require of the business.

In addition, a business might want to include a mandatory binding arbitration clause in their agreements with their customers. They may also wish to include waivers of class actions in their contracts in order to limit or avoid entirely costly class action lawsuits.

Should I Hire a Lawyer for Help with a Data Privacy Lawsuit?

If your business needs to update its data privacy strategies, you want to talk to an Ohio business lawyer. Your lawyer can give you a complete briefing on both Ohio and federal laws that apply to data privacy and set the standards you must meet to ensure that you have fully complied with all applicable laws and regulations.

If your private data has been exposed by a business, you too want to talk to an Ohio business lawyer. Your lawyer will be able to investigate what happened, determine the extent of the exposure and identify how it happened. He will also be able to determine if you have suffered an economic loss that would justify a lawsuit to protect your rights to the privacy of your personal data.