State Regulatory Developments

Ohio Enacts Cybersecurity Safe Harbor

Ohio recently established a cyber-breach safe harbor, providing an affirmative defense to civil liability for covered entities that implement written cybersecurity plans that satisfy the law’s requirements.

Ohio Senate Bill 220 defines a “covered entity” as a business that accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside Ohio.

Under this legislation, a “covered entity” that satisfies specified provisions, which include a written cybersecurity program that has administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized framework, is entitled to assert an affirmative defense to any cause of action that alleges that failure to implement reasonable information security controls resulted in a data breach concerning personal information.

The statute also includes a provision specifying that transactions recorded by blockchain technology are permitted under the Uniform Electronic Transactions Act in Ohio.

The legislation is available here: https://www.legislature.ohio.gov/legislation/legislation-summary?id=GA132-SB-220.