Ohio's new data security law takes the novel approach of rewarding companies for steps they take to protect personal information rather than punishing them in the wake of lapses, but whether this will catch on is likely to hinge on if the measure's limited liability shield is enough to spur businesses into action, attorneys say.

The voluntary approach in the new law, which was signed in early August and took effect on Nov. 2, marks a stark departure from the nearly two dozen state data security laws already on the books, which threaten companies with fines, lawsuits and enforcement actions for failing to maintain reasonable cybersecurity programs.

While companies are likely to welcome a more incentive-driven approach to regulation, the jury's still out on whether this strategy will ultimately prove effective, attorneys say.

"Existing state laws that require businesses to maintain reasonable cybersecurity standards and have penalty provisions have, at least anecdotally, been much more effective in terms of inducing action by companies than any type of voluntary compliance framework I've seen," said Edward McAndrew, co-leader of Ballard Spahr LLP's Privacy and Data Security Group. "[U]nfortunately, this Ohio law may end up being an example of a piece of legislation that, in concept, may have seemed like a good idea, but in practice may not prove very effective at protecting organizations or affecting their behavior."

Read the full article here. Subscription may be required.