On November 2, Ohio's amended data breach notification law went into effect. The amended law provides companies with a "safe harbor" against tort actions brought under Ohio law alleging a lack of reasonable information security controls. To qualify for the safe harbor, companies must adopt reasonable cybersecurity measures and ensure that the company's cybersecurity measures "reasonably conform" to certain industry-recognized frameworks. Companies also must tailor the scope of their cybersecurity program to the company's size, complexity, and nature of the company's activities, among other requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.