A new and first-of-a-kind law was enacted in the State of Ohio, providing a safe harbor to organizations that demonstrate compliance with cybersecurity standards. The law establishes a legal safe harbor operating as a defense to causes of action in tort that allege or relate to the failure to implement reasonable information security controls, resulting in a data breach. The safe harbor applies to entities that implement a cybersecurity program that meets the requirements of the legislation. 

The law explains that it is intended to incentivize and encourage businesses to achieve a higher level of cybersecurity through voluntary action. At the same time, it explains that it does not, and is not intended to create a minimum cybersecurity standard that must be achieved, nor should it be read so as to impose liability on businesses that do not obtain or maintain practices in compliance with the act.

In order to benefit from the law’s safe harbor, organizations must demonstrate that they have instated and continuously comply with a written information security program that meets recognized information security industry-standards such as ISO-27001 or regulatory requirements applicable to the organization. The program must be compatible with the size of the business, the nature of its activity, its resources and etc. The legislation is expected to come into effect in November 2018.