Ohio bill offers safe harbor to companies that take steps to protect cybersecurity

Written on Nov 09, 2017

Businesses that take certain steps to secure their customers’ sensitive information could be protected from a lawsuit later if a hack still occurs under a bill introduced Nov. 3.

Senate Bill 220 is designed to encourage businesses of all sizes to voluntarily act in exchange for the promise they could later assert an affirmative defense in court that they’d been proactive.

“Those businesses that take reasonable precautions and meet these important standards will be afforded a safe harbor against claims should a data breach occur,” Ohio Attorney General Mike DeWine said. “To trigger the safe harbor provision, businesses must create their own cybersecurity programs that meet certain standards.”

The proposed Data Protection Act is the first bill to emerge from DeWine’s cybersecurity task force of business leaders, information technology experts and law enforcement created in the wake of high-profile hacks of consumer information.

The bills’ backers stressed the measure does not lay out a minimum set of standards that, if not met, could serve as grounds for litigation in the event of a breach.

The main goal was to create a set of frameworks that were evolutionary and evolved with risk.

Sen. Bob Hackett (R., London), one of the bill’s sponsors, said this process also means lawmakers won’t have to continually revisit the issue to update a minimum set of standards.

Protections for a business that acts proactively could begin as soon as it sets itself upon that path. The business would be given a year to come up with its own program in writing using one of eight industry-specific frameworks developed by the National Institute of Standards and Technology.

The business would then have another year to implement the plan, during which it could conceivably offer the affirmative defense in court if a hack occurs.

It would still be up to a judge to determine whether a business met its burden to qualify for the safe harbor from litigation.

The measure provides no financial assistance to businesses to participate.

“Effective cybersecurity should be considered an investment,” DeWine said.

Leave a comment