As Introduced

126th General Assembly
Regular Session
2005-2006
H. B. No. 104


Representatives Martin, McGregor, Trakas, Wagoner, C. Evans, Perry, Seitz 



A BILL
To amend section 1347.01 and to enact sections 1
1347.12 and 1349.19 of the Revised Code to require 2
a state agency, person, or business to contact 3
individuals if unencrypted personal information 4
about those individuals that is maintained on the 5
computers of the agency, person, or business is 6
obtained by unauthorized persons.7


BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF OHIO:

       Section 1.  That section 1347.01 be amended and sections 8
1347.12 and 1349.19 of the Revised Code be enacted to read as 9
follows:10

       Sec. 1347.01.  As used in this chapter, except as otherwise 11
provided:12

       (A) "State agency" means the office of any elected state13
officer and any agency, board, commission, department, division,14
or educational institution of the state.15

       (B) "Local agency" means any municipal corporation, school16
district, special purpose district, or township of the state or17
any elected officer or board, bureau, commission, department,18
division, institution, or instrumentality of a county.19

       (C) "Special purpose district" means any geographic or20
political jurisdiction that is created by statute to perform a21
limited and specific function, and includes, but is not limited22
to, library districts, conservancy districts, metropolitan housing 23
authorities, park districts, port authorities, regional airport 24
authorities, regional transit authorities, regional water and 25
sewer districts, sanitary districts, soil and water conservation 26
districts, and regional planning agencies.27

       (D) "Maintains" means state or local agency ownership of,28
control over, responsibility for, or accountability for systems29
and includes, but is not limited to, state or local agency30
depositing of information with a data processing center for31
storage, processing, or dissemination. An agency "maintains" all32
systems of records that are required by law to be kept by the33
agency.34

       (E) "Personal information" means any information that35
describes anything about a person, or that indicates actions done36
by or to a person, or that indicates that a person possesses37
certain personal characteristics, and that contains, and can be38
retrieved from a system by, a name, identifying number, symbol, or 39
other identifier assigned to a person.40

       (F) "System" means any collection or group of related records 41
that are kept in an organized manner and that are maintained by a 42
state or local agency, and from which personal information is 43
retrieved by the name of the person or by some identifying number, 44
symbol, or other identifier assigned to the person. "System" 45
includes both records that are manually stored and records that 46
are stored using electronic data processing equipment. "System" 47
does not include collected archival records in the custody of or 48
administered under the authority of the Ohio historical society, 49
published directories, reference materials or newsletters, or 50
routine information that is maintained for the purpose of internal 51
office administration, the use of which would not adversely affect 52
a person.53

       (G) "Interconnection of systems" means a linking of systems 54
that belong to more than one agency, or to an agency and other 55
organizations, which linking of systems results in a system that 56
permits each agency or organization involved in the linking to 57
have unrestricted access to the systems of the other agencies and 58
organizations.59

       (H) "Combination of systems" means a unification of systems 60
that belong to more than one agency, or to an agency and another 61
organization, into a single system in which the records that 62
belong to each agency or organization may or may not be obtainable 63
by the others.64

       Sec. 1347.12.  (A) As used in this section:65

       (1) "Breach of the security of the system" means unauthorized 66
acquisition of computerized data that compromises the security, 67
confidentiality, or integrity of personal information maintained 68
by a state agency. Good faith acquisition of personal information 69
by an employee or agent of the state agency for the purposes of 70
the state agency is not a breach of the security of the system, 71
provided that the personal information is not used or subject to 72
further unauthorized disclosure.73

       (2) "Individual" means a natural person. 74

       (3) "Personal information" means an individual's first name 75
or first initial and last name in combination with any one or more 76
of the following data elements, when either the name or the data 77
elements are not encrypted:78

       (a) Social security number;79

       (b) Driver's license number or state identification card 80
number;81

       (c) Account number or credit or debit card number, in 82
combination with any required security code, access code, or 83
password that would permit access to an individual's financial 84
account. 85

       "Personal information" does not include publicly available 86
information that is lawfully made available to the general public 87
from federal, state, or local government records.88

       (4) "State agency" has the same meaning as in section 1.60 of 89
the Revised Code.90

       (B)(1) Any state agency that owns or licenses computerized 91
data that includes personal information shall disclose any breach 92
of the security of the system, following discovery or notification 93
of the breach in the security of the data, to any resident of this 94
state whose unencrypted personal information was, or reasonably is 95
believed to have been, acquired by an unauthorized person.96

       (2) The state agency shall make the disclosure described in 97
division (B)(1) of this section in the most expedient time 98
possible and without unreasonable delay, subject to the legitimate 99
needs of law enforcement activities described in division (D) of 100
this section and consistent with any measures necessary to 101
determine the scope of the breach and to restore the reasonable 102
integrity of the data system.103

       (C) Any state agency that maintains computerized data that 104
includes personal information that the state agency does not own 105
shall notify the owner or licensee of the information of any 106
breach of the security of the data immediately following 107
discovery, if the personal information was, or reasonably is 108
believed to have been, acquired by an unauthorized person.109

       (D) The state agency may delay the disclosure or notification 110
required by division (B) or (C) of this section if a law 111
enforcement agency determines that the disclosure or notification 112
will impede a criminal investigation, in which case, the state 113
agency shall make the disclosure or notification after the law 114
enforcement agency determines that disclosure or notification will 115
not compromise the investigation.116

       (E) For purposes of this section, a state agency may disclose 117
or make a notification by the following methods:118

       (1) Written notice;119

       (2) Electronic notice, if the disclosure or notice provided 120
is consistent with the provisions regarding electronic records and 121
signatures set forth in 15 U.S.C. 7001, as amended.122

       (3) Notice consisting of all of the following:123

       (a) Electronic mail notice when the state agency has 124
electronic mail addresses for the subject persons requiring 125
disclosure or notification;126

       (b) Conspicuous posting of the disclosure or notice on the 127
state agency's website, if the agency maintains one;128

       (c) Notification to major statewide media.129

       (F) Notwithstanding division (E) of this section, a state 130
agency that maintains its own disclosure or notification 131
procedures as part of an information security policy for the 132
treatment of personal information, which procedures also are 133
consistent with the timing requirements of this section, is in 134
compliance with the disclosure or notification requirements of 135
this section, if it notifies subject persons requiring disclosure 136
or notification in accordance with its policies in the event of a 137
breach of the security of the system.138

       Sec. 1349.19.  (A) As used in this section:139

       (1) "Breach of the security of the system" means unauthorized 140
acquisition of computerized data that compromises the security, 141
confidentiality, or integrity of personal information maintained 142
by a person or business. Good faith acquisition of personal 143
information by an employee or agent of the person or business for 144
the purposes of the person or business is not a breach of the 145
security of the system, provided that the personal information is 146
not used or subject to further unauthorized disclosure.147

       (2) "Business" means both of the following:148

       (a) A sole proprietorship, partnership, corporation, 149
association, or other group, however organized and whether 150
operating for profit or not for profit, including a financial 151
institution organized, chartered, or holding a license authorizing 152
operation under the laws of this state, any other state, the 153
United States, or any other country, or the parent or subsidiary 154
of a financial institution;155

       (b) An entity that destroys records.156

       (3) "Individual" means a natural person. 157

       (4) "Personal information" means an individual's first name 158
or first initial and last name in combination with any one or more 159
of the following data elements, when either the name or the data 160
elements are not encrypted:161

       (a) Social security number;162

       (b) Driver's license number or state identification card 163
number;164

       (c) Account number or credit or debit card number, in 165
combination with any required security code, access code, or 166
password that would permit access to an individual's financial 167
account. 168

       "Personal information" does not include publicly available 169
information that is lawfully made available to the general public 170
from federal, state, or local government records.171

       (5) "Records" means any material, regardless of the physical 172
form, on which information is recorded or preserved by any means, 173
including in written or spoken words, graphically depicted, 174
printed, or electromagnetically transmitted. "Records" does not 175
include publicly available directories containing information an 176
individual voluntarily has consented to have publicly disseminated 177
or listed, such as name, address, or telephone number.178

       (B)(1) Any person or business that conducts business in this 179
state and that owns or licenses computerized data that includes 180
personal information shall disclose any breach of the security of 181
the system, following discovery or notification of the breach in 182
the security of the data, to any resident of this state whose 183
unencrypted personal information was, or reasonably is believed to 184
have been, acquired by an unauthorized person.185

       (2) The person or business shall make the disclosure 186
described in division (B)(1) of this section in the most expedient 187
time possible and without unreasonable delay, subject to the 188
legitimate needs of law enforcement activities described in 189
division (D) of this section and consistent with any measures 190
necessary to determine the scope of the breach and to restore the 191
reasonable integrity of the data system.192

       (C) Any person or business that maintains computerized data 193
that includes personal information that the person or business 194
does not own shall notify the owner or licensee of the information 195
of any breach of the security of the data immediately following 196
discovery, if the personal information was, or reasonably is 197
believed to have been, acquired by an unauthorized person.198

       (D) The person or business may delay the disclosure or 199
notification required by division (B) or (C) of this section if a 200
law enforcement agency determines that the disclosure or 201
notification will impede a criminal investigation, in which case, 202
the person or business shall make the disclosure or notification 203
after the law enforcement agency determines that disclosure or 204
notification will not compromise the investigation.205

       (E) For purposes of this section, a person or business may 206
disclose or make a notification by the following methods:207

       (1) Written notice;208

       (2) Electronic notice, if the disclosure or notice provided 209
is consistent with the provisions regarding electronic records and 210
signatures set forth in 15 U.S.C. 7001, as amended.211

       (3) Notice consisting of all of the following:212

       (a) Electronic mail notice when the person or business has 213
electronic mail addresses for the subject persons requiring 214
disclosure or notification;215

       (b) Conspicuous posting of the disclosure or notice on the 216
person's or business' website, if the person or business maintains 217
one;218

       (c) Notification to major statewide media.219

       (F) Notwithstanding division (E) of this section, a person or 220
business that maintains its own disclosure or notification 221
procedures as part of an information security policy for the 222
treatment of personal information, which procedures also are 223
consistent with the timing requirements of this section, is in 224
compliance with the disclosure or notification requirements of 225
this section, if the person or business notifies subject persons 226
requiring disclosure or notification in accordance with its 227
policies in the event of a breach of the security of the system.228

       (G) Any waiver of this section is contrary to public policy 229
and is void and unenforceable.230

       (H) Any individual injured by a violation of this section has 231
a cause of action for recovery of damages.232

       Section 2. That existing section 1347.01 of the Revised Code 233
is hereby repealed. 234