Click here to review text of state statute.
[For specific rules applicable to state agencies – see Ohio Rev. Code §1347.12.]
[For specific Safe Harbor Requirements – see Sec. 1354.02 of the Revised Codes]
Information Covered / Important Definitions
Personal information of Ohio residents.
“Security Breach” means unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information or restricted information owned by or licensed to a covered entity and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to person or property.
“Encryption” means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.
“Redacted” means altered or truncated so that no more than the last four digits of a social security number, driver’s license number, state identification card number, account number, or credit or debit card number is accessible as part of the data.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person, legal entity, or business entity that conducts business in the state that owns or licenses computerized data that includes personal information.
Third party recipients:
Any person that, on behalf of or at the direction of another person or governmental entity, is the custodian of or stores computerized data that includes personal information, must notify that other person or governmental entity of any security breach in an expeditious manner if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to an Ohio resident.
Notice Procedures & Timing / Other Obligations
Written, electronic, or telephonic notice must be provided to victims of a security breach within the most expedient time possible but no later than forty-five (45) days following the discovery of the breach, unless a law enforcement agency determines that notice will impede an investigation (in which case notification is delayed until authorized by law enforcement).
- Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity has insufficient contact information. Substitute notice also available to business entities with 10 employees or fewer that demonstrate costs will exceed $10,000.
- Notification required solely in the case of breaches that have caused or are reasonably likely to cause a material risk of identity theft or other fraud to an Ohio resident.
Any covered entity that must notify more than 1,000 Ohio residents at one time of a security breach is also required to notify without unreasonable delay consumer reporting agencies without delaying notice to affected Ohio residents.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
A covered entity may seek an affirmative defense under sections 1354.01 to 1354.05 of the Revised Code by means found in section 1354.02.
Exemption for good faith acquisition of personal information or restricted information by the covered entity's employee or agent for the purposes of the covered entity's, provided that the personal information or restricted information is not used for an unlawful purpose or subject to further unauthorized disclosure.
A covered entity subject to HIPAA is deemed in compliance with the Ohio statute.
A financial institution, trust company or credit union, or any affiliates thereof, subject to and in compliance with information security breach protocols imposed by a functional government regulatory agency, is deemed in compliance with Ohio statute.
Notification to Regulator / Waiver
A determination of no likelihood of harm: Does not require notification to attorney general.
A waiver of the statute is void and unenforceable.
Civil penalty of up to $1,000 for each day of non-compliance with statute, up to $5,000 per day after 60 days, and up to $10,000 per day after 90 days.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute