With the enactment of Senate Bill 220, known as the Ohio Data Protection Act, the Buckeye State became the first to provide a liability shield for some claims in data breach litigation for companies that implement a written cybersecurity program that “reasonably conforms” to at least one of 11 industry-recognized cybersecurity frameworks.
The voluntary approach in the new law, which was signed in early August and took effect on Nov. 2, marks a stark departure from the nearly two dozen state data security laws already on the books, which threaten companies with fines, lawsuits and enforcement actions for failing to maintain reasonable cybersecurity programs.
But while companies are likely to welcome a more incentive-driven approach to regulation, the jury’s still out on whether this strategy will ultimately prove effective.
“Ohio’s approach to cybersecurity regulation is certainly more business-friendly than other jurisdictions, but in the modern commercial landscape in which businesses are facing a diverse array of compliance requirements, a single carrot among the sticks isn’t likely to make Luddite horses suddenly champ at the bit,” said Michael Hellbusch, an attorney at Rutan & Tucker LLP.