Ohio Enacts Legal Safe Harbor for Cybersecurity Compliance

Do you know that the average total cost of a data breach to a business is $3.86 million? This reflects a 6.4% increase over last year.

For companies doing business in Ohio, some relief is on the way.

Earlier this month, Governor Kasich signed Senate Bill 220 into law. It provides a legal “safe harbor” for businesses in exchange for compliance with one of the eight recognized cybersecurity standards (including the National Institute of Standards and Technology’s Cybersecurity Framework, the Security Rule of the Health Insurance Portability and Accountability Act for healthcare-industry businesses regulated by HIPAA, and the Safeguards Rule of the Gramm-Leach-Bliley Act for certain financial institutions).

A company doing business in Ohio that complies with one of these standards will have an affirmative defense to a tort claim alleging that a failure to implement reasonable information security controls resulted in a data breach.

SB 220 expressly states that it does not “create a minimum cybersecurity standard that must be achieved” or “impose liability upon businesses that do not obtain or maintain practices in compliance with the frameworks.”

Indeed, the scale and scope of a compliant cybersecurity program required to trigger the legal safe harbor is based on various business-specific factors, including:

  • the size, complexity, and nature of the business and its activities;
  • the level of sensitivity of the personal information it possesses;
  • the cost and availability of tools to improve security and reduce vulnerabilities; and
  • the resources the business has at its disposal to expend on cybersecurity

The law’s goal is not to shield businesses from liability, but “to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.” In and of itself, this goal is worthy of your attention.

Governor Kasich signed the bill into law on August 3, and it takes effect 90 days after it is enrolled by the Secretary of State.

If you haven’t taken cybersecurity seriously, SB 220 may just be the kick in the pants that Ohio businesses and those doing business in Ohio need to jump-start your compliance efforts. You have approximately three months to comply. What are you waiting for?

Meyers Roman cybersecurity attorneys will help you bring your business into compliance so that you are ready to take advantage of this safe harbor. For assistance or more information, contact any of the following at 216-831-0042 or at emails below:

Peter Brosse         pbrosse@meyersroman.com

Jon Hyman           jhyman@meyersroman.com

David Croft           dcroft@meyersroman.com