Sometimes, you do the best you can, but things happen anyway.
You follow all the best practices, all your systems are locked down, you spend twice as much as your peers on cybersecurity, you have cyber insurance in place, and a hacker still gets through. You get sued, there’s a judgment against your company that’s more than the maximum payout on your cyber insurance policy, and you’re out of business. Your company is paying the price for something completely out of its control.
Some industries have “safe harbor” laws to protect companies against these kinds of problems. Take, for example, copyright infringement lawsuits against websites. If your website has stolen content on it, then you’re in the wrong and should have to pay for it. But what if the stolen content was uploaded by a random user, and you didn’t know that the content was stolen? The Digital Millennium Copyright Act in the US and similar laws in most other countries protect companies from lawsuits as long as they do their best to take down infringing content as soon as they’re told about it.
Now Ohio has a similar law – but for data breaches. The state’s Data Protection Act went into effect in late 2018 and unlike the recent privacy-related laws passed by California and Colorado, instead of punishing companies when things go wrong, it rewards them for doing the right things.