|Personal Information Security Breach (Known by citation).|
Ohio Rev. Code §§ 1347.12, (Agency disclosures);
1349.19 (Privacy disclosure of security breach);
1349.191 (Investigation of Noncompliance); and
1349.192 (Enforcement action by Attorney General)
|SUMMARY||The laws require that if an individual or a commercial entity that conducts business in Ohio and that owns or licenses computerized data that includes personal information about a resident of Ohio becomes aware of a breach of the security of their computer system, the business or entity should conduct a prompt investigation to determine if personal information has been compromised and assess the risk of misuse. The law also requires the individual or the commercial entity provide notice as soon as possible to the affected Ohio resident unless the investigation determines that the misuse of information about an Ohio resident has not occurred and is not reasonably likely to occur.|
The law covers ‘Personal Information’ which is defined to include an individual’s name, consisting of the individual’s first name or first initial and last name, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable:
Any state agency or agency of a political subdivision that owns or licenses computerized data that includes personal information.
Any person that owns or licenses computerized data that includes personal information.
|PENALTIES||The Ohio Attorney General has exclusive authority to bring an enforcement action. The Attorney General may pursue civil penalty that varies, depending on whether the defendant acted in bad faith.|