Ohio Pioneered Legal Protection for
Cyber-Prepared Businesses

SB 220 gives companies an affirmative defense in data breach lawsuits — if they maintain a qualifying cybersecurity program.

Effective November 2, 2018 · Ohio Revised Code § 1354

The Law

What SB 220 Does for You

If your business suffers a data breach and faces a lawsuit in Ohio, SB 220 gives you an affirmative defense — as long as you had a qualifying written cybersecurity program in place. The defense applies to tort claims, including:

Negligence

Alleging you failed to implement reasonable security controls.

Privacy Invasion

Alleging unauthorized access compromised personal or restricted information.

Other Tort Claims

Any tort-based action arising from a data breach concerning protected information.

How to Qualify

What Your Program Needs

The law is deliberately flexible — your program must be proportionate to your business. Four conditions:

1

Written Cybersecurity Program

Administrative, technical, and physical safeguards protecting personal and restricted information.

2

Conformance to a Recognized Framework

Reasonable conformance — not certification — to one or more of the frameworks listed below.

3

Appropriate Scale & Scope

Proportionate to your size, complexity, data sensitivity, cost of tools, and available resources.

4

Stay Current with Updates

Adopt revisions to your chosen framework within one year of publication.

NIST CSF
NIST 800-171
NIST 800-53
FedRAMP
CIS Controls
ISO 27000
PCI DSS*
HIPAA
GLBA
FISMA
HITECH

* PCI DSS must be used in conjunction with a general framework.

Common Concern

Reasonable Conformity, Not Perfection

“Reasonable Conformity” ≠ Perfection

The law does not require certification or flawless implementation. You must demonstrate reasonable conformance to your chosen framework — a good-faith, proportionate effort appropriate to your business.

What the defense doesn't cover: contract claims, statutory claims, regulatory enforcement actions, or claims brought outside Ohio courts. The defense applies only to tort claims under Ohio law.

How SignumCyber Helps

Every Requirement. One Platform.

SB 220 Requires How We Help

Written program with safeguards

73-domain assessment + policy creation wizard to build your program

Framework conformance

NIST CSF, ISO 27001, SOC 2, HIPAA & PCI DSS

Appropriate scale & scope

Conditional logic adapts to your size, industry & environment

Stay current with framework updates

Periodic reassessment, implementation tracking & reporting

Protection of personal & restricted info

Assesses safeguards, generates policies & guides implementation

Bigger Picture

A Growing National Movement

Seven states and counting. The program you build for Ohio qualifies you elsewhere too.

Ohio 2018
Utah 2021
Connecticut 2021
Iowa 2023
Tennessee 2024
Oregon 2024
Texas 2025

Ready to Build Your Defense?

See how SignumCyber helps you qualify for safe harbor protection — and turn security into a business advantage.

Request a Demo →

30 minutes. No pressure. Just clarity.

This page is general information about Ohio's Data Protection Act (SB 220), not legal advice. Consult a qualified attorney for guidance specific to your organization.