The Ohio Legislature recently passed an innovative cybersecurity law that provides an important opportunity for companies doing business in the state. The Ohio Data Protection Act (ODPA) (S.B. 220) grants an affirmative defense against data breach tort claims to those businesses that bring their cybersecurity frameworks up to an industry standard. Other states’ cybersecurity laws focus on requirements or penalties. The Ohio statute uses an affirmative defense to incentivize companies to improve their cybersecurity practices. There are many open questions about this first-of-its-kind law. Are the industry standards it identifies sufficiently protective? Will the new affirmative defense actually convince companies to enhance their cybersecurity programs? How can businesses qualify for the affirmative defense? How will the ODPA affect data breach tort litigation in the state? The Ohio State University Moritz College of Law Program on Data and Governance and the Cleveland-Marshall College of Law Center for Cybersecurity and Privacy Protection recently published an in-depth analysis of the ODPA. Visit go.osu.edu/cyberwhitepaper to read the paper.