This past summer, Ohio adopted legislation (SB220) that primarily provides for a legal safe harbor from certain data-breach related tort claims to covered entities that implement a specified cybersecurity program that “reasonably conforms” to a recognized cybersecurity framework for the protection of personal information and “restricted information” or comply with certain industry-specific federal privacy laws. This legislation is intended incentivize businesses to adopt heightened levels of cybersecurity through voluntary action.
Beyond cybersecurity, SB220 also includes language amending Ohio’s version of the Uniform Electronic Transactions Act (UETA) to incentivize blockchain investment and innovation in the state by allowing transactions recorded on the blockchain to be recognized under it. Ohio’s UETA generally stipulates that records or signatures may not be denied legal effect solely because they are in electronic form and that a contract may not be denied legal effect because an electronic record was used in its formation (a discussion of the extent to which any provision of Ohio’s UETA is preempted by the Federal E-Sign Act (15 U.S.C. § 7001) is beyond the scope of this post). In pertinent part, SB220 amends the definition of “electronic record” under the UETA to provide that “a record or contract that is secured through blockchain technology is considered to be in an electronic form and to be an electronic record.” It also amends the definition of “electronic signature” to clarify that a signature that is “secured through blockchain technology is considered to be in an electronic form and to be an electronic signature.” While one could argue that signatures secured using blockchain are already presumably valid under the UETA, such a law expressly takes up this issue and signals the state’s pro-blockchain stance.