Skip to Content
May 15, 2019 Article 2 min read

The state of Ohio has a new law — the first in the nation — that incentivizes companies to adopt cyber protections in exchange for protecting them from legal liability in the event of a data breach. Here’s what you need to know.

Young woman reading about Ohio's new cybersecurity safe harbor law on her computer.

The Ohio Data Protection Act, or cybersecurity safe harbor law, was passed and went into effect in the fall of 2018. We work with a number of commercial clients around Ohio; and the idea that implementing a robust set of cybersecurity protections now, in order to protect them from potential liability in case of a data breach in the future, has a lot of appeal. A study last year determined that the average cost of a data breach globally is $3.62 million, but the cost for a U.S. organization is higher at $7.35 million.

With such debilitating fees, it’s important you take every measure possible to protect the personal data of your customers. And it’s not just the fees alone; your customers can feel violated and lose faith in your organization.

How does the cybersecurity safe harbor incentive work?

The cybersecurity safe harbor law says that if an organization has implemented cybersecurity protections, then they have an affirmative defense that shields them from tort or civil lawsuits when a data breach occurs or is thought to have occurred. It could be called a built-in legal defense in case the worse happens and a breach occurs. In other words, if you’ve taken the steps to create and maintain a written cybersecurity program, and comply with that program, your organization meets the requirements.

What kinds of breaches does the safe harbor law protect against?

Organizations collect all kinds of data that could be exposed in a breach. Personal health information; personally identifiable or restricted information such as social security numbers, and credit card information; and trade secrets including software source code and corporate information. To comply, your organization’s cybersecurity program must:

  1. Protect the security and confidentiality of this information.
  2. Protect against any anticipated threats or hazards that threaten the security or integrity of the information.
  3. Protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.

What must a cybersecurity program include?

The law is relatively clear in spelling out what qualifies as appropriate cyber protections. Organizations must have a written cybersecurity program that:

  • Contains administrative, technical, and physical safeguards that project personal or restricted information.
  • Meets the design, scale, and scope requirements.
  • Reasonably conforms to an industry-recognized cybersecurity framework.

Some items you should include are an assessment of your current security program, potential risk assessment, and an attack and penetration assessment.

It remains to be seen whether the Ohio cybersecurity safe harbor law will have a practical impact on an organization’s approach to cyber risk management. We’ll continue to monitor and update you as things develop. And, as always, please reach out to our cybersecurity experts with any questions you have on cybersecurity and risk management.