The question is, will other States and even the Federal government follow? I hope so.
The Ohio Data Protection Act, which became law in November of 2018, establishes a cybersecurity safe harbor for companies that adopt an applicable cybersecurity framework.
In simple terms, here is what this means. If a business has shown good faith in putting appropriate cybersecurity defenses and protections in place, it may not be able to be held liable for any damages should they experience a data breach. The Act does not create a standard that companies must comply with, rather it references several established cybersecurity frameworks that are compliant in the eyes of the law. These frameworks are:
Payment Card Industry Standard combined with another listed framework
Further, this law allows business to determine which framework applies to them. Companies are allowed to consider their size, type of information that needs to be protected and other factors in making this determination.
For small business, this is good news as this may represent the first cybersecurity law that a small business can actually comply with. While large enterprises are complying with laws that impact them, this has been a challenge for small business. The scope of compliance requirements, the costs of complying and the uncertainty of whether they can properly protect themselves have kept many from even trying.
By offering a safe harbor, to protect the busines as long as it can show compliance with one of the listed frameworks, this law may actually encourage businesses of all sizes to do the right thing. This would be a great development and I’m hoping all other states follow Ohio’s lead. We will all be safer if they do.