Unfortunately, Ohio SB 220 went into effect on Friday. Earlier this year, we submitted a letter to the Ohio legislature urging them to protect their residents and avoid creating the loophole SB 220 provides.
This law effectively gives companies a way out of compensating victims of data breaches—provided they implement some specific security steps. This will undoubtedly stifle legitimate public complaints that would otherwise result in reimbursements to the victims.
Effective cybersecurity programs are based on current best practices, the specific security needs of the business and the sector within which the business operates. Perversely, SB 220 provides a safe harbor that encourages a race-to-the-bottom approach to cybersecurity rather than one that takes into consideration the steps a business could and should take to protect Ohio residents’ data.
Ultimately, SB 220 undermines the appropriate standard of care for cybersecurity incidents and will leave Ohio residents more vulnerable to abusive practices from hackers and bad business alike.