States Beginning to Legislate Cybersecurity

Ohio has become the first state to legislate incentives for corporate entities to develop and implement effective data privacy and cybersecurity procedures. As of November 1, 2018, an organization can claim an affirmative defense to a lawsuit that alleges a data breach was caused by failure to implement a cybersecurity framework if that organization has a cybersecurity program that reasonably complies with one of several industry-recognized cybersecurity frameworks, which are listed in the Act. California and Colorado now have cybersecurity legislation on the books. California’s is effective on January 1, 2020, and is similar to the Colorado law that went into effect last September. That law requires businesses and government agencies to maintain a written policy describing how they will dispose of personally identifiable information, notify consumers of a data breach within 30 days of the breach, and take reasonable steps to protect the PII it maintains. PII is defined broadly. It includes social security numbers, passwords, pass codes, driver’s license numbers, passport numbers, biometric data, and financial account numbers.