A breach law that just went into effect in Ohio provides covered entities with a legal safe harbor for certain data breach-related claims under Ohio law. It is the first law in the U.S. to offer an incentive to businesses that take steps to ensure that there are policies and procedures in place to protect against data breaches.
To qualify, at the time of the breach the entity must comply with a cybersecurity program that:
- contains administrative, technical, and physical safeguards for the protection of personal information; and
- reasonably conforms to one of several “industry-recognized” cybersecurity frameworks.
In addition, the program must be designed to:
- protect the security and confidentiality of the information;
- protect against any anticipated threats or hazards to the security or integrity of the information; and
- protect against unauthorized access to information that is likely to result in a material risk of identity theft or other fraud.
