Substitute Senate Bill 220 Summary

• Establishes a legal safe harbor allowing covered entities that implement specified cybersecurity programs to assert an affirmative defense against tort claims alleging failure to implement reasonable information security controls resulting in a data breach.

• Permits covered entities to satisfy safe harbor requirements by creating and maintaining written cybersecurity programs containing administrative, technical, and physical safeguards that reasonably conform to industry-recognized frameworks including NIST, FedRAMP, Center for Internet Security, ISO/IEC 27000, HIPAA, Gramm-Leach-Bliley Act, or PCI data security standards.

• Requires covered entity cybersecurity programs to be appropriately scaled and scoped based on entity size and complexity, nature of activities, information sensitivity, cost and availability of security tools, and available resources.

• Modifies the Uniform Electronic Transactions Act to recognize blockchain-secured records and signatures as electronic records and electronic signatures.

• Alters the definition of "key employee" under Ohio Casino Gaming Law to clarify it means individuals holding more than 1% ownership interest rather than more than 5%, and individuals performing principal officer functions.