Data breaches can be extremely costly, regardless of the size or type of organization affected.  Costs include technical investigations, notifications, call center setup, legal services for regulatory compliance and defense, credit monitoring and identity theft protection services, public relations outreach, and loss of business and reputation.  In fact, according to a recent study conducted by the Ponemon Institute and sponsored by IBM, the global average cost of a data breach is $3.86 million, which is a 6.4% increase from last year’s average.  As a result, businesses are investing more in their IT departments and information security generally.

Ohio now rewards such businesses by providing an affirmative defense against tort claims to businesses subject to litigation stemming from data breach incidents.  Specifically, Ohio recently passed a law (S.B. 220), effective November 2, 2018, that provides a “legal safe harbor” for businesses that adopt and comply with an “industry recognized cybersecurity framework.”  The law sets forth the qualifying cybersecurity frameworks, which include, but are not limited to the HIPAA Security Rule and HITECH, Title V of the Gramm-Leach-Bliley Act of 1999, the Payment Card Industry (“PCI”) Data Security Standard, and certain National Institute of Standards and Technology (“NIST”) frameworks.  In order to qualify for the safe harbor, a business must stay current with the identified cybersecurity framework.

The text of S.B. 220 is available here.

Our take

Due to the large costs associated with data breaches, businesses should ensure that their cybersecurity frameworks conform to the most recent version of all applicable cybersecurity frameworks.  Although most states have not enacted a law providing an affirmative defense against tort claims for businesses that implement and maintain a meaningful cybersecurity framework, the compliance risks and costs associated with data breach investigation and response should be sufficient incentives to do so.