Ohio “Safe Harbor” Cybersecurity Bill Attempts to Stop Plaintiff Class Actions in Data Breach Ohio “Safe Harbor” Cybersecurity Bill Attempts to Stop Plaintiff Class Actions in Data Breach

Ohio “Safe Harbor” Cybersecurity Bill Attempts to Stop Plaintiff Class Actions in Data Breach

Ohio Attorney General Mike DeWine recently endorsed a unique data protection law that was a result of efforts from the CyberOhio Initiative, an effort by the state to help Ohio businesses with cybersecurity issues.

In mid-October, State Senators Bob Hackett and Kevin Bacon introduced Senate Bill 220, the Data Protection Act, in the Ohio Senate. The purpose of the bill is to establish a legal safe harbor for businesses to plead as an affirmative defense to a tort cause of action that alleges failure to implement reasonable cybersecurity controls resulting in a data breach.[1] The bill was developed to serve as an incentive for businesses to take reasonable precautions to achieve a higher level of cybersecurity and meet industry-recommended standards.[2] However, it is important to note the safe harbor is not intended as a minimum cybersecurity standard nor does it impose liability upon those businesses that do not develop cybersecurity controls.

In a November 3 joint news conference with Attorney General DeWine, State Senator Hackett noted that “[a]s the world is increasingly interconnected, we have a responsibility to secure cyberspace.”[3] Attorney General DeWine called on Ohio businesses to consider effective cybersecurity measures to be an “investment.”[4] Attorney General DeWine explained that “[t]hose businesses that take reasonable precautions and meet these important standards will be afforded a safe harbor against claims should a data breach occur.”[5]

Senate Bill 220 is the first bill to emerge from the CyberOhio Initiative, a cybersecurity task force of business leaders, information technology experts, and law enforcement aimed at helping Ohio’s businesses fight back against cyber-attacks.[6] The goal of the CyberOhio Initiative is to provide the best legal, technical, and collaborative cybersecurity environment possible to help Ohio’s businesses thrive.

In the wake of high-profile hacks of consumer information, most recently the Equifax breach, businesses should take a risk-based approach in implementing industry-recommended standards. Cyber-criminals are highly sophisticated, and there is no typical or routine cyber-attack.[7] Furthermore, because risk differs among various sectors (e.g., health care, financial, education) and there are many different data protection regulatory frameworks (e.g., HIPAA, FCRA, GLBA), there is no “one size fits all” approach in this space.

In this rapidly developing and changing cyber-landscape, Ice Miller has the professionals and experience to help clients assess risk and implement approved frameworks to come into compliance with the proposed safe harbor. As former information technology professionals, system engineers, and analysts, our attorneys understand the technologies involved in data and are able to effectively and efficiently advise clients on all aspects of the complex business, technological, legal, and regulatory issues that relate to protecting such information.

To speak to an attorney, please contact Nicholas Merker at nicholas.merker@icemiller.com, Stephen Reynolds at stephen.reynolds@icemiller.com, or Matthew Diaz at matthew.diaz@icemiller.com.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.


[1] Senate Bill 220, The Ohio Legislature, https://www.legislature.ohio.gov/legislation/legislation-status?id=GA132-SB-220.
[2] Id.; Data Protection Act Will Incentivize Cybersecurity to Protect Consumer Data, Mike DeWine: Ohio Attorney General, http://www.ohioattorneygeneral.gov/Media/News-Releases/November-2017/Data-Protection-Act-Will-Incentivize-Cybersecurity.
[3] Data Protection Act Will Incentivize Cybersecurity to Protect Consumer Data, supra note 2.
[4] Jim Provance, Lawmakers offer legal carrot to defeat data breaches, The Blade (Nov. 3, 2017), http://www.toledoblade.com/State/2017/11/03/Lawmakers-offer-legal-carrot-to-defeat-hacking.html.
[5] Id.
[6] CyberOhio, Mike DeWine: Ohio Attorney General, http://www.ohioattorneygeneral.gov/Business/CyberOhio.
[7] Id.

View Full Site View Mobile Optimized