Ohio Senate Bill 220 goes into effect on Friday, November 2, 2018.

The new law incentivizes businesses for implementing cyber security programs. Companies and corporations with a written cyber security program may assert “affirmative defense” to a tort claim related to a data breach.

To be eligible, a business must create, comply with, and periodically maintain a cyber security program that contains safeguards protecting both personal and restricted information, and which complies with at least one of the following three stipulations:

1) If a business institutes a policy that reasonably complies with at least one of the six industry-recognized cyber security frameworks.
2) If a business is regulated by the state or federal government, or both, and complies with HIPAA, GLBA, or FISMA guidelines.
3) If a business falls under PCI-DSS and reasonably complies with PCI-DSS guidelines and adopts one of the six industry-recognized frameworks.

If any one of these platforms are revised after implementation, the business in question has one year from the date of the latest revision to amend its cyber security policy in order to maintain the guidelines of that framework.

HBK can help with the creation and implementation or update of a cyber security program, as well as addressing other cyber security concerns or questions.

HBK can assist you with cyber security topics or questions. Please contact Matt Schiavone at mschiavone@hbkcpa.com, Bill Heaven at wheaven@hbkcpa.com, or Steve Franckhauser at sfranckhauser@hbkcpa.com for assistance.