The state of Ohio has implemented its Data Protection Act to encourage businesses to voluntarily adopt strong cybersecurity controls to protect consumer data.

Senate Bill 220, the Data Protection Act, was sponsored by State Senators Bob Hackett (R-London) and Kevin Bacon (R-Westerville) and was signed into law in late 2018.

Senate Bill 220 provides different industry-recognized cybersecurity frameworks which a business can follow when creating its own cybersecurity program. In order to receive the benefit of the safe harbor, a business must create its own cybersecurity program.

The legislation provides an affirmative defense to a lawsuit which alleges a data breach that was caused by a business' failure to implement reasonable information security controls. 

Businesses are only required to incorporate one of the frameworks into the business’ cybersecurity program. Further, businesses are free to choose whichever framework best fits their information security controls.