In a flurry of legislative activity during the final week of June, the Legislature passed Senate Bill 220, cybersecurity legislation improving Ohio’s business and legal climate. This legislation incentivizes businesses of all sizes to invest in robust cybersecurity programs to protect the data of consumers, employees, and others by providing an affirmative defense, or “safe harbor,” if the business meets certain requirements. This legislation, strongly supported by the Ohio Chamber, passed the Ohio House of Representatives 68-23 with bipartisan support. With the Senate immediately concurring in amendments made by the House, SB 220 now goes to Governor Kasich for his signature.
This legislation benefits Ohio’s businesses and Ohio’s business climate by incentivizing businesses to invest in, and maintain, reasonable cybersecurity measures to protect employee, customer, and other private information. It does not bar a lawsuit but provides the opportunity for a business to provide evidence that reasonable policies and protections were in place to prevent the breach and, essentially, provides guidance as to what is reasonable. Judges and juries would still decide, depending on the unique facts and evidence of a case, whether the business meets its burden to raise the affirmative defense provided under this bill. Our previous blogs, linked above, go through the requirements in much more detail.
In addition to some technical changes added in the House, an amendment specifying that transactions recorded by blockchain technology are permitted under the Uniform Electronic Transactions Act in Ohio. Blockchain technology allows electronic records to be recorded securely and is growing in usage in the private sector. Ohio will now join the growing list of states formally recognizing blockchain technology in statute.