Ohio Disclosure or Notification of Breach of Security of Computerized Personal Information System
Ohio Rev. Code § 1349.19, § 1349.191, § 1349.192
Ohio Rev Code § Section 1354.01, et seq.
SUMMARY:
EFFECTIVE. February 17, 2006
WHO DOES THIS LAW APPLY TO. (1) Any person or entity that conducts business in Ohio and owns or licenses computerized data that includes Personal Information; and (2) any person or business that maintains computerized data that includes Personal Information.
WHAT IS A BREACH. Unauthorized acquisition of and access to computerized data that compromises the security or confidentiality of Personal Information owned or licensed by a person or business, which causes or is reasonably likely to cause a risk of identity theft or other fraud to an Ohio resident. A good faith acquisition of Personal Information by an employee or agent of the owner for internal purposes only is not a breach, if it is not used or subject to further unauthorized disclosure. In addition, acquisition of Personal Information by a search warrant, court order or by duty of a state regulatory agency does not constitute a security breach.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted, redacted, or secured by any other method rendering the element unreadable:
-
Social Security Number.
-
Driver’s license number or State identification card number.
-
Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
Personal Information does not include publicly available information that is lawfully available from Federal, State, or local government records, or widely distributed media.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the residents affected. Disclosure may be made according to a written contract entered into prior to the breach, provided that it does not conflict with any provisions of this Section.
If more than 1,000 Ohio residents are involved in a breach, the person or business shall also notify all consumer reporting agencies that maintain files on consumers nationwide of the timing, distribution and content of the notice.
EXCEPTION. This Section does not apply to the following:
-
A financial institution, trust company, credit union or affiliate that is required by Federal law to notify its customers of an information security breach and is subject to audit by its regulatory agency for compliance, is exempt from this Section.
-
This Section does not apply to any person or business that is regulated by §§1171 – 1179 of the Social Security Act.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person or business discovers or is notified of an incident of unauthorized acquisition. The disclosure shall be made in the most expedient manner possible, but no later than 45 days following discovery or notification of the breach, consistent with the needs of law enforcement and any measures necessary to determine the nature and scope of the breach, and to restore the reasonable integrity of the data system. Notification may be delayed if law enforcement determines it will impede a criminal investigation or jeopardize national security. In that instance, notification will be made after clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Telephonic.
-
Electronic (if it is the primary means of communication with the affected resident).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person or business can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person or business has an email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person or business if one is maintained.
-
Notification to major statewide media, such that the cumulative audience is greater than or equal to 75% of the State population.
If the person or business required to give notice has 10 or less employees, and the cost of giving notice will exceed $10,000, substitute notice shall consist of all of the following:
-
Advertisement in a locally distributed newspaper where the business is located:
-
Large enough to cover at least 25% of the page.
-
Published at least once per week for three weeks.
-
-
Conspicuous posting of the notice on the website of the person or business if one is maintained.
-
Notification of major media outlets in the geographic area in which the business is located.
NOTICE TO THIRD-PARTIES. If a person or business maintains computerized data that includes Personal Information that it does not own, then the person or business shall notify the owner of the breach as soon as possible. The person or business that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. The State Attorney General shall have the sole authority to investigate and bring a civil lawsuit to enforce any violations to this Section, including:
-
Temporary restraining order.
-
Temporary or permanent court order to prevent further violations.
-
Civil penalties for intentional or reckless failure to comply with this Section:
-
Up to $1,000 per day, for up to 60 days.
-
Up to $5,000 per day, for the 61st day up to 90 days.
-
Up to $10,000 for each day over 90 days.
-
-
Attorney’s fees and costs.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES. Ohio Rev Code § Section 1354.01, et seq. Businesses Maintaining Recognized Cybersecurity Programs that includes Safe harbor requirements, and Reasonable conformance. It does not provide private right of action. There is a provision for Severability for the covered entity.
DATA DISPOSAL PROVISIONS. None.
LEGISLATIVE UPDATES.
H.B. 104 – Signed into law on 11/17/2005, Amended by S.B. 126.
S.B. 126 – Signed into law on 12/29/2006, Effective 2/17/2006 and 3/30/2007.
S.B. 220 – Effective 11/ 2/2018. (Ohio Rev Code § Section 1354.01, et seq.)
For more information, see here: https://codes.ohio.gov/ohio-revised-code/section-1349.19
AND
https://codes.ohio.gov/ohio-revised-code/chapter-1354
AND
https://www.ohioattorneygeneral.gov/Files/Publications-Files/Publications-for-Business/Data-Breach-Prevention-and-Response-Guide-for-Smal
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.