The Ohio legislature recently passed S.B. 220, which gives businesses that suffer a data breach an affirmative defense against tort claims brought in class action suits.

The law goes into effect on November 2, 2018. Basically, the law gives the business a safe harbor if the business implements and complies with “a recognized cybersecurity framework.” The law lists the recognized cybersecurity frameworks that are included in the safe harbor, which are the well-known existing frameworks, such as:

  • NIST frameworks
  • Title V of Gramm-Leach-Bliley Act
  • PCI standards

The Act does not require minimum standards, and allows businesses to adopt a framework that is appropriate for the business, but the adoption and maintenance of the framework will be scrutinized if a business asserts the affirmative defense.

The legislation does not unilaterally provide a safe harbor as many data breach notification laws do for the adoption of statutorily approved encryption technology, but instead, allows the business to assert the safe harbor as an affirmative defense against the suit. It further does not allow a private right of action for plaintiffs to assert if a business does not implement a cybersecurity framework for its organization and then suffers a data breach.

The purpose of the Act is to “encourage businesses to achieve a higher level of cybersecurity through voluntary action.”