Implementing a robust cybersecurity program is a business investment. Recently, numerous states have proposed a return on that investment in the form of statutory incentives for organizations that maintain certain technical safeguards. Incentive-based legislation can be used to convince management that investing in a cybersecurity program will create a return in the future.
For example, last year, Ohio proposed a bill that created a legal incentive for companies to create and implement a cybersecurity program. The proposed bill has now passed and will become effective November 2, 2018 (“Ohio Data Protection Act” or “Act”).
Under the Act, a company can raise an affirmative defense to data breach tort claims (such as negligence) brought under the laws or in the courts of Ohio if the company created, maintained and complied with a written cybersecurity program. To establish the defense, a company would have to show that its security program contained administrative, technical and physical safeguards designed to protect either “personal information” or “personal information and restricted information.” Continue reading New Ohio Law Creates Legal Incentive to Create Cybersecurity Program