Implementing a cybersecurity framework may begin to pay off for companies doing business in Ohio. As anyone following data privacy litigation knows, litigation stemming from data breach incidents can prove to be extraordinarily burdensome and expensive. Ohio is the first state to pass a law that will limit a business’s exposure in data breach litigation if the businesses has voluntarily adopted an identified cybersecurity framework.

In terms of the particulars, Ohio recently passed S.B. 220, which provides an affirmative defense against tort claims to businesses sued by data breach plaintiffs. The law will be codified at R.C. 1354.01–1354.05 and will go into effect on Nov. 2, 2018.

The law will provide a business with a “legal safe harbor” if the business adopts and complies with a “recognized cybersecurity framework.” The act lists a number of qualifying safe harbor cybersecurity frameworks including, but not limited to:…