Proposed legislation in Ohio seeks to incentivize businesses to voluntarily adopt a cybersecurity framework in return for an affirmative defense or “safe harbor” in court should a data breach still occur.
Senate Bill 220, the Data Protection Act was introduced Oct 17th by State Sens. Bob Hackett (R-London) and Kevin Bacon (R-Minerva Park).
The point is for Ohio businesses to be proactive in instituting certain defenses to guard against data breaches.
Importantly, the bill does not create a minimum cybersecurity standard for businesses to achieve or impose liability for not obtaining or maintaining one; instead, it intends to provide an evolutionary standard for business risk.
To meet the safe harbor requirements, businesses must create, maintain, and comply with administrative, technical, and physical safeguards for the protection of personal data by using one of eight industry-specific frameworks developed by the National Institute of Standards and Technology, or other industry recognized information security framework.
Further, a judge would be responsible for determining whether a business qualifies or not for a safe harbor provision, states data protection attorney Brian H. Lam, in The National Law Review.
The legislation is part of state Attorney General DeWine’s CyberOhio Initiative. Launched in 2016, its objective is to provide Ohio businesses with support on cybersecurity issues to enhance their success, according to the website.
“As businesses beef up their cybersecurity, consumers will benefit from the additional protection as well,” explained DeWine, who endorsed the legislation in a statement.
CyberPrivacy will continue to monitor this pending legislation and give our readers an update as it unfolds.