Ohio is innovating in Cyber Security!
I never thought I would say those words, especially about my home state of Ohio! But a recently passed bill in Ohio will allow companies, that have implemented a recognized security framework, an affirmative defense in tort law against a plaintiff arguing that the company failed to implement reasonable security controls. They are calling it a "safe harbor" of sorts,
It says that if a "covered entity," defined as "businesses that access, maintain, communicate or process personally identifiable information (PII) in one or more system or network in Ohio," "reasonable conforms" to a current framework like NIST, GLBA, FISMA, HI-TECH or PCI-DSS they have an "affirmative defense" meaning they are presumed to be acting reasonably.
It is not perfect, the company still has to prove they are actually following the framework, in a reasonable way, but it is a novel and decent attempt to get SMB's interested in doing something about cyber security. Bravo OHIO!