Effective November 2, 2018, a new Ohio breach law will provide covered entities a legal safe harbor for certain data breach-related claims brought in an Ohio court or under Ohio law if, at the time of the breach, the entity maintains and complies with a cybersecurity program that (1) contains administrative, technical and physical safeguards for the protection of personal information, and (2) reasonably conforms to one of the “industry-recognized” cybersecurity frameworks enumerated in the law.

The program must additionally be designed to (1) protect the security and confidentiality of the information, (2) protect against any anticipated threats or hazards to the security or integrity of the information, as well as (3) protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates. In determining the necessary scale and scope of the program, businesses should consider what is reasonable in light of the size and complexity of the covered entity, the nature and scope of its activities, the resources available to them, the sensitivity of the information to be protected, and the cost and availability of tools to improve information security and reduce vulnerabilities.

While this safe harbor will not apply to breach of contract claims or statutory violations in a breach suit, covered entities may raise this affirmative defense against tort claims that allege a failure to implement reasonable information security controls that result in a data breach. However, the covered entity will bear the burden of demonstrating that its program meets all of the requirements under the law. This may be hard for businesses to prove since many of the frameworks provide generalizations regarding what is required, but not specifics, and since these frameworks do not tend to have formal certification processes. Moreover, because such frameworks are often revised to keep up with new technologies and risks, it may be difficult for businesses to conform to the updates within the statute-mandated, one-year time limit from the revision date.

This law is the first in the U.S. to offer an incentive to businesses that take steps to ensure that there are policies and procedures in place to protect against data breaches. It remains to be seen whether other states will enact similar laws.