The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
Data Breach Notification Statue
Covered Entities: Individuals, businesses, governmental entities, and other entities that own, license, or maintain PI.
Consumer Notification: Notification must be provided to any Ohio resident whose unencrypted, unredacted, or altered PI was, or is reasonably believed to have been, accessed and acquired without authorization.
Regulatory Notification: N/A
Notification Timeline: Notification must be provided in the most expedient time possible and without unreasonable delay, but not later than 45 days after discovery of the breach.
Data Format: Electronic.
Citations: Ohio Rev. Code Ann. §§ 1349.19, 1349.191, 1349.192.
- Breach: “Unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state.”
- Personal information (PI): An Alabama resident’s first name or first initial and last name in combination with one or more of the following with respect to the same Alabama resident:
- Social security number;
- Driver’s license or state identification card number; or
- Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual's financial account.
- Medical Information: N/A
- Health Insurance Information: N/A
- Encryption: Notification is not required where the potentially impacted PI was encrypted.
- Good Faith: Notification is not required where the potentially impacted PI was acquired in good faith by an employee or agent, for the purposes of the relevant person, business, or agency.
- Risk of Harm: Notification is not required if the entity reasonably believes that the breach has not and will not cause a material risk of identity theft or other fraud to any resident.
- Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation or jeopardize homeland or national security.
- Timing: Notification must be provided in the most expedient time possible and without unreasonable delay, but not later than 45 days after discovery or notification of the breach in the security of the system.
- Format: N/A
- Content: N/A
- Method: Written, electronic (if the individual’s primary method of communication with the resident), or telephonic.
An entity may provide substitute notice if (1) the cost of providing notice would exceed $250,000, (2) the notification population exceeds 500,000, or (3) the entity does not have sufficient contact information. Substitute notice must include: (1) email notice, where an email address is available; (2) conspicuous posting on the entity’s webpage, if one is maintained; and (3) notice to statewide media.
Credit Reporting Agencies Notice:
In the event a business provides notice to more than 1,000 persons at one time, the entity must notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, of the timing, distribution, and content of the notice.
Any entity that maintains personal information on behalf of another entity, must notify any such entity as expeditiously as possible following discovery or reasonable belief, of a breach involving personal information owned by the other entity and the unauthorized access or acquisition will cause or is reasonably believed to cause a material risk of identity theft or other fraud.
- Ohio Rev. Code Ann. § 1347.12.
Insurance Data Security Statute
Covered Entities (Licensee): Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state. Licensee includes an insurer. Licensee does not include a purchasing group or a risk retention group chartered and licensed in another state or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
Security Standard: A licensee must develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment that contains administrative, technical, and physical safeguards for nonpublic information and the licensee’s information systems. Certain licensees may be exempt as set forth in Ala. Code § 27-62-9.
Consumer Notification: A licensee shall comply with the Alabama Data Breach Notifications Act of 2018, Chapter 38 of Title 8, as applicable.
Regulatory Notification: A licensee shall notify the Commissioner of Insurance as promptly as possible, but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the criteria referenced below has been met.
Notification Timeline: As promptly as possible, no later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred.
Citations: Ohio R.C. 3965.01 to 3965.11
- Consumer: An individual who is a resident of this state and whose nonpublic information is in a licensee's possession, custody, or control. Consumer includes an applicant, policyholder, insured, beneficiary, claimant, and certificate holder.
- Cybersecurity Event: An event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system that has a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee. Cybersecurity event does not include the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization. Cybersecurity event does not include an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
- Licensee: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state. Licensee includes an insurer. Licensee does not include a purchasing group or a risk retention group chartered and licensed in another state or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
- Nonpublic Information: Information that is not publicly available information and is one of the following:
- Business-related information of a licensee the tampering with, unauthorized disclosure of, access to, or use of which, would cause a material adverse impact to the business, operation, or security of the licensee;
- Information concerning a consumer that because of the name, number, personal mark, or other identifier contained in the information can be used to identify that consumer in combination with any one (1) or more of the following data elements:
- Social Security number;
- Driver's license, commercial driver's license, or state identification card number;
- Account, credit card, or debit card number;
- Any security code, access code, or password that would permit access to the consumer's financial account; or
- Biometric records.
- Any information or data, except age or gender, that is in any form or medium created by or derived from a health care provider or a consumer, that can be used to identify a particular consumer, and that relates to any of the following:
- The past, present, or future physical, mental, or behavioral health or condition of the consumer or a member of the consumer's family;
- The provision of health care to the consumer; or
- The payment for the provision of health care to the consumer.
Each licensee shall notify the superintendent of insurance as promptly as possible after a determination that a cybersecurity event involving nonpublic information in the possession of the licensee has occurred, but in no event later than 3 business days after that determination, when either of the following criteria has been met:
- Both of the following apply:
- This state is the licensee's state of domicile, in the case of an insurer, or this state is the licensee's home state, in the case of an independent insurance agent.
- The cybersecurity event has a reasonable likelihood of materially harming a consumer or a material part of the normal operations of the licensee.
- The licensee reasonably believes that the nonpublic information involved relates to 250 or more consumers residing in this state and the cybersecurity event is either of the following:
- A cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self- regulatory agency, or any other supervisory body pursuant to any state or federal law; or
- A cybersecurity event that has a reasonable likelihood of materially harming either of the following:
- Any consumer residing in this state; or
- Any material part of the normal operations of the licensee.
In providing the notification described in division (A) of this section, the licensee shall provide as much of the following information as possible:
- The date of the cybersecurity event;
- A description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of any third-party service providers;
- How the cybersecurity event was discovered;
- Whether any lost, stolen, or breached information has been recovered and if so, how this was done;
- The identity of the source of the cybersecurity event;
- Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when such notification was provided;
- A description of the specific types of information acquired without authorization. "Specific types of information" means particular data elements, including types of medical information, types of financial information, or types of information allowing identification of the consumer.
- The period during which the information system was compromised by the cybersecurity event;
- The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the superintendent and update this estimate with each subsequent report to the superintendent pursuant to this section.
- The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed;
- A description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur;
- The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.
Third-Party Notice Requirements:
If a licensee becomes aware of a cybersecurity event in a system maintained by a third-party service provider, the licensee shall treat the event as it would under division (A) of this section.
The superintendent of insurance shall have power to examine and investigate into the affairs of any licensee to determine whether the licensee has been or is engaged in any conduct in violation of this chapter. This power is in addition to the powers that the superintendent has under Title XXXIX and Chapters 1739. and 1751. of the Revised Code. Whenever the superintendent has reason to believe that a licensee has been or is engaged in conduct in this state that violates this chapter, the superintendent may take any necessary or appropriate action to enforce the provisions of this chapter.
Information Security Standard
Business: Any limited liability company, limited liability partnership, corporation, sole proprietorship, association, state institution of higher education, private college, or other group, however organized and whether operating for profit or not for profit, including a financial institution organized, chartered, or holding a license authorizing operation in Ohio, any other state, the United States, or any other country, or the parent or subsidiary of any of the foregoing.
Covered Entities: A business that accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside of Ohio.
First Party Security Standard: A covered entity must do one of the following:
- Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information (“PI”) and that reasonably conforms to an industry recognized cybersecurity framework; or
- Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of both PI and restricted information (“RI”) and that reasonably conforms to an industry recognized cybersecurity framework.
Data Format: Electronic.
Citations: Ohio Rev. Code Ann. §§ 1354.01 et seq.
- Industry Recognized Cybersecurity Framework: The following constitute a framework conforming to an industry recognized cybersecurity framework:
- The cybersecurity program conforms with the current version of:
- The framework for improving critical infrastructure cybersecurity developed by the national institute of standards and technology (“NIST”);
- NIST special publication 800-171;
- NIST special publications 800-53 and 800-53a;
- The federal risk and authorization management program (“FedRAMP”) security assessment framework;
- The center for internet security critical security controls for effective cyber defense; or
- The international organization for standardization/international electrotechnical commission 27000 family - information security management systems.
- The covered entity is regulated by Ohio, the federal government, or both, or is otherwise subject to, and complies with, the requirements of any of the laws or regulations listed below:
- The security requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”);
- Title V of the Gramm-Leach-Bliley Act of 1999 (“GLBA”);
- The Federal Information Security Modernization Act of 2014 (“FISMA”);
- The Health Information Technology for Economic and Clinical Health Act (“HITECH”).
- The cybersecurity program complies with the payment card industry data security standard (“PCI-DSS”).
- The cybersecurity program conforms with the current version of:
- Personal Information (PI): An individual’s first name / first initial and last name in combination with one or more of the following data elements:
- Social Security number;
- Driver’s license number or Ohio identification card number;
- Financial account or payment card number plus any required security code, access code, or password that would permit access to an individual’s financial account.
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
- Restricted Information (RI): Any information about an individual, other than PI, that, alone or in combination with other information, including PI, can be used to distinguish or trace the individual's identity or that is linked or linkable to an individual, if the information is not encrypted, redacted, or altered by any method or technology in such a manner that the information is unreadable, and the breach of which is likely to result in a material risk of identity theft or other fraud to person or property.
Methods of Compliance:
Separate from compliance with any of the Industry Recognized Cybersecurity Frameworks, the statute defines the following as compliance with these requirements:
- Protect the security and confidentiality of the information;
- Protect against any anticipated threats or hazards to the security or integrity of the information;
- Protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.
The scale and scope of a covered entity’s cybersecurity program is appropriate if it is based on the following factors:
- The size and complexity of the covered entity;
- The nature and scope of the activities of the covered entity;
- The sensitivity of the information to be protected;
- The cost and availability of tools to improve information security and reduce vulnerabilities; and
- The resources available to the covered entity.