Organizations struggle to understand how the government will view their security programs, and what liability they will have after a data security incident. In the absence of U.S. federal regulation, more states are taking legislative action to provide some clarity. The recently signed Ohio Data Protection Act, which comes into effect on November 2, 2018, will create a safe harbor for covered entities that implement a cybersecurity program in accordance with the act’s requirements. Organizations will be able to use the safe harbor as an affirmative defense in post-breach litigation. The Act is likely to benefit businesses that qualify for the safe harbor, but its greatest significance, said Jason Wool, a counsel at ZwillGen, is that it may be “indicative of a future trend in which states – and maybe even the federal government – will provide meaningful incentives to companies for the implementation of cybersecurity frameworks and standards on a voluntary basis.” See also “Colorado’s Revised Cybersecurity Law Clarifies and Strengthens Existing Requirements
,” (Sep. 12, 2018); and “Analyzing New and Amended State Breach Notification Laws
” (Jun. 6, 2018).