Rigorous Security Breach Legislation in the State of Ohio

Ohio Rev. Code §§ 1349.19 – 192 is a data breach notification law that was passed in the U.S. state of Ohio in 2006 and went into effect the following year. Ohio Rev. Code §§ 1349.19 – 192 was passed for the purposes of regulating data breach incidents that occur within the state of Ohio, and lays out several requirements that agencies, businesses, and organizations that operate within the state are required to follow in the event that a security breach occurs. To this point, the law also empowers the Ohio Attorney General to levy fines and penalties against entities within Ohio that are found to be in violation of the law.

What is the scope and application of Ohio Rev. Code §§ 1349.19 – 192?

In terms of the scope and applicability of Ohio Rev. Code §§ 1349.19 – 192, the provisions established in the law apply to “any individual, corporation, business trust, estate, trust, partnership, or association (collectively, Entity) that conducts business in OH and owns or licenses computerized data that includes PI.” On the other end of the spectrum, “the provisions governing the maintenance of PI that the Entity does not own appear applicable to any Entity maintaining PI, whether or not the Entity conducts business in OH, and good faith acquisitions of personal information or the acquisition of personal information for judicial purposes, such as subpoenas, search warrants or other court orders are not considered data breaches.”

What are the data breach notification requirements under Ohio Rev. Code §§ 1349.19 – 192?

Under Ohio Rev. Code §§ 1349.19 – 192, an entity that experiences a data breach within the state is required to provide notice to all affected individuals and parties within 45 days of the discovery of such occurrence. Moreover, affected entities are also responsible for providing notification to the three major credit reporting agencies within the U.S. in the event that a security breach impacts more than 1,000 residents within the state of Ohio. Additionally, third parties that handle personal information on behalf of business entities and organizations within the state are also subject to the same provisions established in the law as it concerns data breach notification.

What categories of personal information are protected under Ohio Rev. Code §§ 1349.19 – 192?

Under Ohio Rev. Code §§ 1349.19 – 192, the following data elements are protected should they be compromised following a data breach, in combination with an Ohio resident’s first name or first initial and last name, unless said data elements have been redacted, encrypted, or altered by any other technological method that renders the data unreadable:

• Social security numbers.
• Driver’s license numbers and state identification card numbers.
• Account numbers, credit card numbers, and debit card numbers, in addition to any required access codes, security codes, or passwords that could be used to permit access to an individual’s financial account.

Conversely, the law does not cover the personal information that is made legally available to the public through one of the following means:

• News, editorial, and advertising statements that are “published in any bona fide newspaper, journal, or magazine, or broadcast over radio or television, or any type of media similar in nature.”
• “Any gathering or furnishing of information or news by any bona fide reporter, correspondent, or news bureau to any bona fide newspaper, journal, magazine, radio or television news media, or any type of media similar in nature.”
• “Any publication designed for and distributed to members of any bona fide association or charitable or fraternal nonprofit corporation, or any type of media similar in nature.”

What are the penalties for violating Ohio Rev. Code §§ 1349.19 – 192?

The provisions of Ohio Rev. Code §§ 1349.19 – 192 are enforceable by the Ohio Attorney General. With this being said, the Ohio Attorney General has the authority to impose the following punishments and penalties against entities within the state that have been proven to have violated the law:

• A temporary restraining order.
• A preliminary or permanent injunction.
• A monetary fine of up to $1,000 per day for the first 60 days of non-compliance.
• An additional fine of up to $5,000 per day after 60 days of non-compliance.
• An additional fine of up to $10,000 per day after 90 days of non-compliance.

The provisions set forth in Ohio Rev. Code §§ 1349.19 – 192 enable the Ohio Attorney General to severely punish entities within the state that are found to have violated the rights of residents of the state as it relates to security breaches. In the context of other U.S. state-based data notification laws, the punishments under Ohio Rev. Code §§ 1349.19 – 192 are more comparable to those that are imposed under international comprehensive data privacy laws such as the General Data Protection Regulation or GPDR. Subsequently, residents within the state of Ohio are afforded a great level of protection as it concerns the unauthorized use and disclosure of personal information.