Ohio

Data Breach Notification Statue

Highlights

Covered Entities: Individuals, businesses, governmental entities, and other entities that own, license, or maintain Personal Information (“PI”).

Consumer Notification: Notification must be provided to any Ohio resident whose unencrypted, unredacted, or altered PI was, or is reasonably believed to have been, accessed and acquired without authorization.

Regulatory Notification: N/A

Notification Timeline: Notification must be provided in the most expedient time possible and without unreasonable delay, but not later than 45 days after discovery of the breach.

Data Format: Electronic.

Citations: Ohio Rev. Code Ann. §§ 1349.19, 1349.191, 1349.192.

More Details

Definitions:

  • Breach: Unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state.
  • Personal Information (PI):
    • An individual’s first name or first initial and last name in combination with one or more of the following data elements:
      • Social security number;
      • Driver’s license or state identification card number; or
      • Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual's financial account.
  • Medical Information: N/A
  • Health Insurance Information: N/A 

Safe Harbors:

  • Encryption: Notification is not required where the potentially impacted PI was encrypted.
  • Good Faith: Notification is not required where the potentially impacted PI was acquired in good faith by an employee or agent, for the purposes of the relevant person, business, or agency.
  • Risk of Harm: Notification is not required if the entity reasonably believes that the breach has not and will not cause a material risk of identity theft or other fraud to any resident.
  • Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation or jeopardize homeland or national security.

Direct Notice:

  • Timing: Notification must be provided in the most expedient time possible and without unreasonable delay, but not later than 45 days after discovery or notification of the breach in the security of the system.
  • Format: N/A
  • Content: N/A
  • Method: Written, electronic (if the individual’s primary method of communication with the resident), or telephonic.

Substitute Notice:

An entity may provide substitute notice if (1) the cost of providing notice would exceed $250,000, (2) the notification population exceeds 500,000, or (3) the entity does not have sufficient contact information. Substitute notice must include: (1) email notice, where an email address is available; (2) conspicuous posting on the entity’s webpage, if one is maintained; and (3) notice to statewide media.

Remediation Services:

N/A 

Regulatory Notice:

N/A 

Credit Reporting Agencies Notice:

In the event a business provides notice to more than 1,000 persons at one time, the entity must notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, of the timing, distribution, and content of the notice.

Third-Party Notice:

Any entity that maintains personal information on behalf of another entity, must notify any such entity as expeditiously as possible following discovery or reasonable belief, of a breach involving personal information owned by the other entity and the unauthorized access or acquisition will cause or is reasonably believed to cause a material risk of identity theft or other fraud.

HIPAA:

N/A

Private Action:

N/A

Associated Regulations:

  • Insurance Data Security (Ohio Rev. Code Ann. §§ 3965.01 to 3965.11)
  • Information Security Standard (Ohio Rev. Code Ann. §§ 1354.01 et seq.)
  • Ohio Rev. Code Ann. § 1347.12.

Insurance Data Security Statute

Highlights

Covered Entities (Licensee): Any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state. Licensee includes an insurer. Licensee does not include a purchasing group or a risk retention group chartered and licensed in another state or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

Security Standard:

  • Each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment. The program shall be commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control.
  • The information security program shall contain administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system and shall be designed to do all of the following:

    • Protect the security and confidentiality of nonpublic information and the security of the information system;

    • Protect against any threats or hazards to the security or integrity of nonpublic information and the information system;

    • Protect against unauthorized access to or use of nonpublic information and minimize the likelihood of harm to any consumer;

    • Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed.

  • The licensee shall do all of the following:

    • Designate one or more persons or entities to act on behalf of the licensee and be responsible for the information security program;

    • Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, including threats to the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers;

    • Assess the likelihood and potential damage of the threats described in division (C)(2) of this section, taking into consideration the sensitivity of the nonpublic information;

    • Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage the threats described in division (C)(2) of this section, including consideration of such threats in each relevant area of the licensee's operations, including all of the following:

      • Employee training and management;

      • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal;

      • Detecting, preventing, and responding to attacks, intrusions, or other systems failures.

    • Implement information safeguards to manage the threats identified in its ongoing assessment;

    • Not less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures.

  • Based on its risk assessment, the licensee shall do all of the following:

    • Design its information security program to mitigate the identified risks in a way that is commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control;

    • Determine which of the following security measures are appropriate and implement such security measures:

      • Place access controls on information systems, including controls to authenticate and permit access only to authorized individuals, to protect against the unauthorized acquisition of nonpublic information;

      • Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy;

      • Restrict access at physical locations containing nonpublic information to authorized individuals;

      • Protect by encryption or other appropriate means all nonpublic information while such information is being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media;

      • Adopt secure development practices for in-house developed applications utilized by the licensee and procedures for evaluating, assessing, or testing the security of externally developed applications utilized by the licensee;

      • Modify the information system in accordance with the licensee's information security program;

      • Utilize effective controls, which may include multifactor authentication procedures for accessing nonpublic information;

      • Regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems;

      • Include audit trails within the information security program designed to detect and respond to cybersecurity events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee;

      • Implement measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures;

      • Develop, implement, and maintain procedures for the secure disposal of nonpublic information in any format.

    • Include cybersecurity risks in the licensee's enterprise risk management process;

    • Stay informed regarding emerging threats or vulnerabilities and utilize reasonable security measures when sharing information relative to the character of the sharing and the type of information shared;

    • Provide its personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the licensee in the risk assessment.

  • If the licensee has a board of directors, the board or an appropriate committee of the board shall, at a minimum, do all of the following:

    • Require the licensee's executive management or its delegates to develop, implement, and maintain the licensee's information security program;

    • Require the licensee's executive management or its delegates to report in writing at least annually, all of the following information:

      • The overall status of the information security program and the licensee's compliance with this chapter;

      • Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, third-party service provider arrangements, results of testing, cybersecurity events or violations and management's responses thereto, and recommendations for changes in the information security program.

    • If executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegates and shall require the delegates to submit a report that complies with the requirements of division (E)(2) of this section.
  • A licensee shall exercise due diligence in selecting its third-party service provider.
  • A licensee shall require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.
  • The licensee shall monitor, evaluate, and adjust, as appropriate, the information security program consistent with all of the following:

    • Any relevant changes in technology;

    • The sensitivity of its nonpublic information;

    • Internal or external threats to information;

    • The licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

  • As part of its information security program, each licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the licensee's information systems, or the continuing functionality of any aspect of the licensee's business or operations.

    • The incident response plan described in division (H) (1) of this section shall address all of the following areas:

      • The internal process for responding to a cybersecurity event;

      • The goals of the incident response plan;

      • The definition of clear roles, responsibilities, and levels of decision-making authority;

      • External and internal communications and information sharing;

      • Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;

      • Documentation and reporting regarding cybersecurity events and related incident response activities;

      • The evaluation and revision as necessary of the incident response plan following a cybersecurity event.

  • By the fifteenth day of February of each year, unless otherwise permitted to file on the first day of June in division (I)(2) of this section, each insurer domiciled in this state shall submit to the superintendent of insurance a written statement certifying that the insurer is in compliance with the requirements set forth in this section. Each insurer shall maintain for examination by the department of insurance all records, schedules, and data supporting this certificate for a period of five years. To the extent an insurer has identified areas, systems, or processes that require material improvement, updating, or redesign, the insurer shall document the identification and the remedial efforts planned and underway to address such areas, systems, or processes. Such documentation must be available for inspection by the superintendent.
    • Notwithstanding division (I)(1) of this section, an insurer domiciled in this state and licensed exclusively to conduct business in this state and no other state shall be permitted to submit to the superintendent of insurance a written statement certifying that the insurer is in compliance with the requirements set forth in this section as part of the insurer's corporate governance annual disclosure required by section 3901.073 of the Revised Code.
  • A licensee that meets the requirements of this chapter shall be deemed to have implemented a cybersecurity program that reasonably conforms to an industry-recognized cybersecurity framework for the purposes of Chapter 1354. of the Revised Code.

Consumer Notification: A licensee shall comply with the Ohio Data Breach Notifications Statute, Section 19 of Ohio Revised Code Chapter 1349 of Title 13, as applicable.

Regulatory Notification: A licensee shall notify the superintendent of insurance as promptly as possible, but in no event later than three business days after determining that a cybersecurity event involving nonpublic information in the licensee's possession occurred, if (1) “[t]his state is the licensee’s state of domicile, in the case of an insurer, or this state is the licensee’s home state, in the case of an independent insurance agent” and “[t]he cybersecurity event has a reasonable likelihood of materially harming a consumer or a material part of the normal operations of the licensee” or if (2) “[t]he licensee reasonably believes that the nonpublic information involved relates to two hundred fifty or more consumers residing in this state and the cybersecurity event is either of the following:”  (a) an event impacting the licensee and requiring notice to a governmental body, self-regulatory agency, or any other supervisory body under state or federal law; or (b) an event reasonably likely to harm materially a consumer of the state or any material part of the licensee’s normal operations.

Notification Timeline: As promptly as possible, but in no later than three business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred.

Citations: Ohio R.C. 3965.01 to 3965.11

More Details

Definitions:

  • Consumer: [An] individual who is a resident of this state and whose nonpublic information is in a licensee's possession, custody, or control. Consumer includes an applicant, policyholder, insured, beneficiary, claimant, and certificate holder.
  • Cybersecurity Event: [An] event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system that has a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee. "Cybersecurity event" does not include the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization. "Cybersecurity event" does not include an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
  • Licensee: [A]ny entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state. 'Licensee' includes an insurer. 'Licensee' does not include a purchasing group or a risk retention group chartered and licensed in another state or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
  • Nonpublic Information: [I]nformation that is not publicly available information and is one of the following:
    • Business-related information of a licensee the tampering with, unauthorized disclosure of, access to, or use of which, would cause a material adverse impact to the business, operation, or security of the licensee;
    • Information concerning a consumer that because of the name, number, personal mark, or other identifier contained in the information can be used to identify that consumer in combination with any one or more of the following data elements:
      • Social Security number;
      • Driver's license, commercial driver's license, or state identification card number;
      • Account, credit card, or debit card number;
      • Any security code, access code, or password that would permit access to the consumer's financial account; or
      • Biometric records.
    • Any information or data, except age or gender, that is in any form or medium created by or derived from a health care provider or a consumer, that can be used to identify a particular consumer, and that relates to any of the following:
      • The past, present, or future physical, mental, or behavioral health or condition of the consumer or a member of the consumer's family;
      • The provision of health care to the consumer; or
      • The payment for the provision of health care to the consumer."
  • Content Requirements: When providing required notification, the licensee shall provide as much of the following information as possible:
    • The date of the cybersecurity event;
    • A description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of any third-party service providers;
    • How the cybersecurity event was discovered;
    • Whether any lost, stolen, or breached information has been recovered and if so, how this was done;
    • The identity of the source of the cybersecurity event;
    • Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when such notification was provided;
    • A description of the specific types of information acquired without authorization. "Specific types of information" means particular data elements, including types of medical information, types of financial information, or types of information allowing identification of the consumer.
    • The period during which the information system was compromised by the cybersecurity event;
    • The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the superintendent and update this estimate with each subsequent report to the superintendent pursuant to this section.
    • The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed;
    • A description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur;
    • A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event;
    • The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.

The licensee shall provide the information to the superintendent in electronic form.  The licensee has a continuing obligation to update initial and supplemental notifications to provide details on material developments relating to the cybersecurity event.  The licensee must comply with section 1349.19 of the Revised Code, if applicable, and provide the superintendent with a copy of the notice letter sent to the consumers.

Third-Party Notice Requirements:

If a licensee becomes aware of a cybersecurity event in a system maintained by a third-party service provider, the licensee shall treat the event as it would under division (A) of this section.

Penalties:

(A) The superintendent of insurance shall have power to examine and investigate into the affairs of any licensee to determine whether the licensee has been or is engaged in any conduct in violation of this chapter. This power is in addition to the powers that the superintendent has under Title XXXIX and Chapters 1739. and 1751. of the Revised Code. (B) Whenever the superintendent has reason to believe that a licensee has been or is engaged in conduct in this state that violates this chapter, the superintendent may take any necessary or appropriate action to enforce the provisions of this chapter.

Associated Regulations:

N/A

Information Security Standard

Highlights

Business: Any limited liability company, limited liability partnership, corporation, sole proprietorship, association, state institution of higher education, private college, or other group, however organized and whether operating for profit or not for profit, including a financial institution organized, chartered, or holding a license authorizing operation in Ohio, any other state, the United States, or any other country, or the parent or subsidiary of any of the foregoing.

Covered Entities: A business that accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside of Ohio.

First Party Security Standard: A covered entity must do one of the following:

  • Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information (“PI”) and that reasonably conforms to an industry recognized cybersecurity framework; or
  • Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of both PI and restricted information (“RI”) and that reasonably conforms to an industry recognized cybersecurity framework.

Data Format: Electronic.

Citations: Ohio Rev. Code Ann. §§ 1354.01 et seq.

More Details

Definitions:

  • Industry Recognized Cybersecurity Framework: The following constitute a framework conforming to an industry recognized cybersecurity framework:
    • The cybersecurity program conforms with the current version of:
      • The framework for improving critical infrastructure cybersecurity developed by the national institute of standards and technology (“NIST”);
      • NIST special publication 800-171;
      • NIST special publications 800-53 and 800-53a;
      • The federal risk and authorization management program (“FedRAMP”) security assessment framework;
      • The center for internet security critical security controls for effective cyber defense; or
      • The international organization for standardization/international electrotechnical commission 27000 family - information security management systems.
    • The covered entity is regulated by Ohio, the federal government, or both, or is otherwise subject to, and complies with, the requirements of any of the laws or regulations listed below:
      • The security requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”);
      • Title V of the Gramm-Leach-Bliley Act of 1999 (“GLBA”);
      • The Federal Information Security Modernization Act of 2014 (“FISMA”);
      • The Health Information Technology for Economic and Clinical Health Act (“HITECH”).
    • The cybersecurity program complies with the payment card industry data security standard (“PCI-DSS”).
  • Personal Information (PI): An individual’s first name / first initial and last name in combination with one or more of the following data elements:
    • Social Security number;
    • Driver’s license number or Ohio identification card number; or
    • Financial account or payment card number plus any required security code, access code, or password that would permit access to an individual’s financial account.

PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

  • Restricted Information (RI): Any information about an individual, other than PI, that, alone or in combination with other information, including PI, can be used to distinguish or trace the individual's identity or that is linked or linkable to an individual, if the information is not encrypted, redacted, or altered by any method or technology in such a manner that the information is unreadable, and the breach of which is likely to result in a material risk of identity theft or other fraud to person or property.

Methods of Compliance:

Separate from compliance with any of the Industry Recognized Cybersecurity Frameworks, the statute defines the following as compliance with these requirements:

  • Protect the security and confidentiality of the information;
  • Protect against any anticipated threats or hazards to the security or integrity of the information; and
  • Protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.

The scale and scope of a covered entity’s cybersecurity program is appropriate if it is based on the following factors:

  • The size and complexity of the covered entity;
  • The nature and scope of the activities of the covered entity;
  • The sensitivity of the information to be protected;
  • The cost and availability of tools to improve information security and reduce vulnerabilities; and
  • The resources available to the covered entity.

Exclusions:

N/A

Enforcement/Penalties:

N/A

Associated Regulations:

N/A

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek