Ohio Bill Proposes Safe Harbor Against Breach Suits to Businesses Maintaining Recognized Cybersecurity Programs
William Berglund, Robert J. Hanna and Victoria L. Vance of Tucker Ellis write:
Maintaining robust cybersecurity measures that meet government- and industry-recognized standards will provide businesses operating in Ohio with a legal defense to data breach lawsuits, if a bill recently introduced in the Ohio Senate becomes law.
Ohio Senate Bill No. 220 (S.B. 220), known as the Data Protection Act, was introduced to provide businesses with an incentive to achieve a “higher level of cybersecurity” by maintaining a cybersecurity program that substantially complies with one of eight industry-recommended frameworks. See S.B. 220, Section 1, proposed Ohio Rev. Code §§ 1354.01 to 1354.05.
Compliance Standards To Be Met
Businesses that are in substantial compliance with one of the eight frameworks outlined in S.B. 220 would be entitled to a “legal safe harbor” to be pled as an affirmative defense to tort claims related to a data breach stemming from alleged failures to adopt reasonable cybersecurity measures. S.B. 220, Section 1, proposed Ohio Rev. Code §§ 1354.02(A) and (C), 1354.03; S.B. 220, Section 2(A).
Read more on Tucker Ellis.