In another case of the states supporting data security best practices, Ohio has upped its game. The Buckeye State has enacted a safe harbor law that protects businesses that implement strong cybersecurity protocols. “Effective Nov. 2, 2018, Ohio’s Data Protection Act (DPA) has been supplemented with an incentive-based mechanism to strengthen cybersecurity business practices,” write attorneys Allen O’Rourke, Theodore F. Claypoole, and Alysa M. P. Austin of Womble Bond Dickinson, LLP in legal analysis. “Specifically, it offers a safe harbor against data breach lawsuits for businesses that implement, maintain and comply with an industry-recognized cybersecurity program (S.B. 220).” Organizations that take the protection of personal information seriously may have a fallback, depending on the stringency of their programs, according to the Ohio Data Protection Act (DPA) guidance. However, the DPA does require that cybersecurity protocols keep in line with other mandates such as HIPAA or the National Institute of Standards and Technology (NIST) frameworks in order for safe harbors to apply. Read the DPA details at www.legislature.ohio.gov/legislation/legislation-summary?id=GA132-SB-220.