The Ohio Attorney General’s Office has a national reputation as a robust enforcer of consumer protection and privacy laws, with a track record of balancing the needs of government, business and consumers. Attorney General Dave Yost was elected in 2018 after spending eight years as Ohio’s state auditor.

In key aspects, Attorney General Yost has benefited from the strong leadership of his predecessor regarding privacy. In 2018, then-Attorney General Mike DeWine played an important role in convening stakeholders, including Ohio businesses and an advisory board of cyber professionals, to develop the Ohio Data Protection Act. The Data Protection Act provides a cybersecurity safe harbor via an affirmative defense in data breach litigation for cases brought under tort or negligence claims, provided that entities seeking safe harbor protection can show they complied with one of several industry-recognized cybersecurity programs. Other states are looking to this act as a model for legislation or rulemaking in their own states. Since taking office In January 2019, Attorney General Yost has proved he is prepared to take privacy and consumer protection in Ohio to the next level. In this interview with The Privacy Advisor, Yost discusses his views on privacy trends in the states, preventing ransomware and data breach litigation safe harbors.

The Privacy Advisor: The legal landscape across the country is changing quickly with regard to consumer and employee rights to privacy and cybersecurity requirements for those entities handling their data. Will Ohio likely be joining California and Virginia in passing comprehensive data protection laws that provide consumers enhanced rights to their data?

Yost: I can’t speculate on what the legislature might do, but we all need to rethink our approach to sharing and protecting our personal information. When the internet was young, most of us assumed it was a safe and secure place. Businesses and individuals have to reset their expectations and take appropriate steps to prevent breaches, involuntary data harvesting and unauthorized disclosures. There’s certainly a role for the government in that conversation — my recent suit seeking to have Google Search declared a common carrier utility makes that clear — but we shouldn’t run in with guns blazing and ink flying. Any regulation has to strike the right balance so that it protects individuals without needlessly getting in the way of innovation.

The Privacy Advisor: The 2018 Data Protection Act helped provide Ohio businesses a safe harbor against data breach litigation in the form of an affirmative defense. Do you believe this has had an impact on the adoption of cybersecurity protections by businesses and an associated reduction in breaches (and breach litigation)? As the first measure of its kind, are there lessons to be learned from it and what suggestions would you have to your fellow attorneys general in other states who may be asked to advise on similar measures? 

Yost: The goal of the Data Protection Act is to protect businesses with good cybersecurity practices from suffering a “gotcha” moment at the hands of greedy trial lawyers. No matter how hard a business tries, it can feel like cybercriminals and scammers are always one step ahead of even the best security practices and products. Breaches are going to happen. Ohio’s Data Protection Act essentially says that if you’re in compliance with certain industry standards, some crafty criminal can’t open your business up to massive liability and possible financial ruin. We’ll never know about the breaches this legislation prevented or the steps it prompted businesses to take to come into compliance with the relevant industry standards, but I’m confident it has been good for Ohio.

I think the biggest lesson is that states should be willing to listen to the experts and be creative in their approach to cybersecurity and, in turn, privacy. The solution is not always “Don’t do this, or you’ll be liable;” sometimes, the solution is “Do this — take these proactive steps — so that you won’t be liable.” There has to be a balance in what we can reasonably expect our businesses — large and small — to do to protect people’s information and those expectations will change over time.

The Privacy Advisor: The United States Supreme Court recently handed down a decision affecting Telephone Consumer Protection Act enforcement, Facebook v. Duguid. This decision narrowed what constitutes an “automatic telephone dialing system,” one of the key definitions used to prevent robocalling via the TCPA, which is enforced by federal and state officials as well as by private plaintiffs. Given your interest in protecting Ohio consumers from scammers and robocallers, how does this decision impact your work? 

Yost: The number one question I hear from my constituency is, “How can I stop all of these robocalls?” These calls are an annoyance at best and can really harm people at worst. This is why I signed on to an amicus to retain the broad definition of “automated telephone dialing system” that everyone had been operating under for years. When the court’s decision came out, I was definitely disappointed because I hear about this problem on a daily basis. The good news for Ohioans is that, prior to the decision, I had already created a Robocall Enforcement Unit in our office’s Consumer Protection Section. The attorneys and investigators in this unit work on the ground level — whether in the courtroom, through legislation, or on the educational level — to combat robocalls. I expect our team to be innovative in our approach to stopping these calls, whether that’s through the TCPA or Ohio’s own consumer protection statutes. It’d be nice if the Supreme Court had agreed with our position on auto-dialers, but they didn’t. Still, Ohio is committed to combating illegal robocalls in every way possible.

The Privacy Advisor: Consumer Reports has proposed a Model State Privacy Act, which includes a private right of action. Ohio’s Data Protection Act explicitly denies a private right of action, while the Ohio Consumer Sales Protection Act includes a private right of action. What is your view on private rights of action for public protection laws where enforcement typically falls to the government? In your view, can private enforcers of privacy laws appropriately balance the needs of businesses and consumers as would be expected of government enforcement attorneys?

Yost: There’s no one-size-fits-all solution, but we should certainly be cautious about taking steps that open businesses up to a feeding frenzy of private litigation. The merit of providing a private right of action is somewhat dependent on the resources available to a state attorney general. It’s really a question that needs to be answered by each state individually. We’ve definitely seen the plaintiffs’ bar take great advantage of private rights of action in other areas of the law, but we also know privacy affects literally every person in a state; to put sole enforcement of that on one office is certainly no small undertaking and should seek to provide the best protection for consumers while not promoting predatory lawsuits.

The Privacy Advisor: The news has been filled with stories of ransomware attacks. These attacks have wide-ranging targets, from the Colonial Gas Pipeline to businesses to state offices, including reportedly the office of the Illinois Attorney General and the police in Washington, DC. What is your office doing to counsel Ohio state agencies and local governments in this area? What education are you giving to Ohio businesses and residents? 

Yost: We have an open line of communication with our state (chief information officer) and consistently counsel our clients that training and mindfulness are the best defense. It’s no secret that many system breaches, including ransomware, start by deceiving individuals. So, even with the best security in the world, employee training is key, and we try to encourage this at the state and local levels. We also reinforce that message to our own staff through regular mandatory trainings. My office also offers trainings to businesses and constituents on red flags that can help them spot a potential scam or phishing attempt.

The Privacy Advisor: The U.S. Supreme Court issued a ruling curtailing the (Federal Trade Commission’s) ability to obtain restitution. Do you expect your office to partner with the FTC or other states to utilize alternative remedies instead of restitution moving forward, particularly in privacy? Do you see this decision as displacing the FTC as an enforcement partner with the states on consumer protection matters?

Yost: Congress should restore the FTC’s ability to obtain restitution in some fashion. Ohio has regularly partnered with other states and the FTC in the area of privacy. I’ve been very impressed with some of the alternative remedies — specifically injunctive relief — that the states have come up with together to protect privacy but also to allow businesses to thrive. I don’t see this decision as displacing the FTC as an enforcement partner, but it does change the tools that the commission is able to bring to the effort. Ohio will continue to work with the FTC to obtain the best relief for our constituents, even if that relief looks slightly different than it did before.

The Privacy Advisor: The privacy community has been debating a potential federal privacy law for many years. A substantial portion of new state law privacy activity has been calculated to generate support for a national, preemptive privacy standard. Many industry observers believe that it is a matter of time before Congress moves in earnest to construct such a law. What would you like to see in a federal privacy law and who should enforce such a law?

Yost: A number of privacy-related laws have been floated at the federal level, including those encompassing topics such as breach notification, data privacy rights, biometric information, social media privacy and then some. The truth is: It’s a balancing act. We are at a point that we, as a society, are saying consumers deserve to have their privacy protected in a number of ways. With that, though, we also must work to create a fair and consistent playing field for businesses. Data by its nature is transient and so is privacy. So, while each state likely knows what’s best for its residents, at some point we must concede that at least certain aspects of privacy need to be regulated and enforced at the federal level. This complex and multifaceted concept we call privacy should be regulated solely by one federal agency or by multiple state entities remains to be seen.

Photo by Hans-Jürgen Weinhardt on Unsplash