Companies with robust cybersecurity programs may still be vulnerable to attack. A new, first-of-its-kind law in Ohio now recognizes this fact. On November 1, 2018, the Ohio Data Protection Act (SB 220) establishes a safe harbor from state tort actions in data breach cases for entities that have developed an information security program with “administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework.” Without establishing minimum cybersecurity standards, the Ohio law affords defendants an “affirmative defense” against state tort actions and establishes an important precedent that may serve as a model for other states and the federal government to follow.
To qualify for the safe harbor, entities must:
- Protect the security and confidentiality of the information;
- Protect against anticipated threats or hazards to the security or integrity of the information; and
- Protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or fraud.
The statute adopts a flexible and technology neutral…
