Brian Ray


This essay argues that the ODPA [Ohio Data Protection Act], which has become a model for similar laws and legislative proposals in several other states, in effect creates a process-based standard for cybersecurity. It does so by incorporating the risk-based approach used by the listed cybersecurity frameworks as the defacto standard for reasonable security for organizations seeking to qualify for the Act’s affirmative defense. This article summarizes the ODPA and then explains the risk-based approach of the cybersecurity frameworks it incorporates. It then argues that this risk-based approach in effect establishes a process-based definition of reasonable security and explains why that process-based definition offers intriguing possibilities to provide more specific but still flexible guidance for organizations seeking to develop defensible cybersecurity programs.