On Wednesday, Senate Bill 220, legislation that incentivizes businesses to invest in cybersecurity programs by providing legal protections in the event of a data breach, passed the Ohio Senate 24-8 along party lines. The legislation underwent a few technical changes in committee earlier in the day and was then promptly passed out of committee and on to a floor vote. The Ohio Chamber strongly supports this legislation and testified in January on the bill.
SB 220 benefits Ohio’s businesses and Ohio’s business climate by incentivizing businesses to invest in, and maintain, reasonable cybersecurity measures to protect employee, customer, and other private information. The bill provides businesses, that institute a robust cybersecurity program in compliance with the statute, an affirmative defense in any tort action, such as negligence, for a data breach. The legislation does not bar a lawsuit but affords the opportunity for a business to provide evidence that reasonable policies and protections were in place to prevent the breach and, essentially, provides guidance as to what is reasonable. Judges and juries would still decide, depending on the unique facts and evidence of a case, whether the business meets its burden to raise the affirmative defense provided under this bill.
Further, the bill provides five factors to evaluate the reasonableness of the business’s program including size and complexity of the business, the resources available to the covered entity, and the nature of the personal information to be protected. This allows for scalability across the spectrum of businesses in the state—from small businesses to Fortune 500 companies. The bill also considers the differing nature and needs of businesses throughout the state by allowing the business to choose from a list of cybersecurity frameworks which makes the most sense for that particular business.
SB 220 now moves over the Ohio House for further deliberation where the Ohio Chamber will be advocating for its passage by the end of the year.