This practice note discusses the Ohio Data Protection Act’s (ODPA) new legal safe harbor against data breach claims and how to comply with the requirements set out in the statute. Effective November 2, 2018, businesses and nonprofit entities that create and maintain a cybersecurity program in accordance with the ODPA’s requirements can assert their compliance as an affirmative defense to any tort action brought in Ohio alleging that the failure to implement reasonable information security controls caused a data breach. Ohio Rev. Code Ann. § 1354.02.