Businesses in the US will be interested in a ground-breaking Ohio law that became official on November 2, 2018. The state's Data Protection Act provides business owners a defensive position when accused of failing to implement adequate cybersecurity protections.  

"Importantly, the new law does not create a minimum cybersecurity standard in Ohio or new cybersecurity regulations that businesses must follow," writes Mary Grob, of McGuireWoods LLP, in the JD Supra article New Cybersecurity Law Offers Safe Harbor Against Tort Claims. "Rather, the law operates by incentivizing businesses to develop and maintain a cybersecurity program that 'reasonably conforms' to an already existing, industry-recognized cybersecurity framework."  

Grob continues, "If the company can prove that it had a compliant cybersecurity program in place at the time of a breach, the company can use the program's existence as an affirmative defense to certain tort claims."