|
|
To amend section 1347.01 and to enact sections | 1 |
1347.12 and 1349.19 of the Revised Code to require | 2 |
a state agency, person, or business to contact | 3 |
individuals if unencrypted personal information | 4 |
about those individuals that is maintained on the | 5 |
computers of the agency, person, or business is | 6 |
obtained by unauthorized persons. | 7 |
Section 1. That section 1347.01 be amended and sections | 8 |
1347.12 and 1349.19 of the Revised Code be enacted to read as | 9 |
follows: | 10 |
Sec. 1347.01. As used in this chapter, except as otherwise | 11 |
provided: | 12 |
(A) "State agency" means the office of any elected state | 13 |
officer and any agency, board, commission, department, division, | 14 |
or educational institution of the state. | 15 |
(B) "Local agency" means any municipal corporation, school | 16 |
district, special purpose district, or township of the state or | 17 |
any elected officer or board, bureau, commission, department, | 18 |
division, institution, or instrumentality of a county. | 19 |
(C) "Special purpose district" means any geographic or | 20 |
political jurisdiction that is created by statute to perform a | 21 |
limited and specific function, and includes, but is not limited | 22 |
to, library districts, conservancy districts, metropolitan housing | 23 |
authorities, park districts, port authorities, regional airport | 24 |
authorities, regional transit authorities, regional water and | 25 |
sewer districts, sanitary districts, soil and water conservation | 26 |
districts, and regional planning agencies. | 27 |
(D) "Maintains" means state or local agency ownership of, | 28 |
control over, responsibility for, or accountability for systems | 29 |
and includes, but is not limited to, state or local agency | 30 |
depositing of information with a data processing center for | 31 |
storage, processing, or dissemination. An agency "maintains" all | 32 |
systems of records that are required by law to be kept by the | 33 |
agency. | 34 |
(E) "Personal information" means any information that | 35 |
describes anything about a person, or that indicates actions done | 36 |
by or to a person, or that indicates that a person possesses | 37 |
certain personal characteristics, and that contains, and can be | 38 |
retrieved from a system by, a name, identifying number, symbol, or | 39 |
other identifier assigned to a person. | 40 |
(F) "System" means any collection or group of related records | 41 |
that are kept in an organized manner and that are maintained by a | 42 |
state or local agency, and from which personal information is | 43 |
retrieved by the name of the person or by some identifying number, | 44 |
symbol, or other identifier assigned to the person. "System" | 45 |
includes both records that are manually stored and records that | 46 |
are stored using electronic data processing equipment. "System" | 47 |
does not include collected archival records in the custody of or | 48 |
administered under the authority of the Ohio historical society, | 49 |
published directories, reference materials or newsletters, or | 50 |
routine information that is maintained for the purpose of internal | 51 |
office administration, the use of which would not adversely affect | 52 |
a person. | 53 |
(G) "Interconnection of systems" means a linking of systems | 54 |
that belong to more than one agency, or to an agency and other | 55 |
organizations, which linking of systems results in a system that | 56 |
permits each agency or organization involved in the linking to | 57 |
have unrestricted access to the systems of the other agencies and | 58 |
organizations. | 59 |
(H) "Combination of systems" means a unification of systems | 60 |
that belong to more than one agency, or to an agency and another | 61 |
organization, into a single system in which the records that | 62 |
belong to each agency or organization may or may not be obtainable | 63 |
by the others. | 64 |
Sec. 1347.12. (A) As used in this section: | 65 |
(1) "Breach of the security of the system" means unauthorized | 66 |
acquisition of computerized data that compromises the security, | 67 |
confidentiality, or integrity of personal information maintained | 68 |
by a state agency. Good faith acquisition of personal information | 69 |
by an employee or agent of the state agency for the purposes of | 70 |
the state agency is not a breach of the security of the system, | 71 |
provided that the personal information is not used or subject to | 72 |
further unauthorized disclosure. | 73 |
(2) "Individual" means a natural person. | 74 |
(3) "Personal information" means an individual's first name | 75 |
or first initial and last name in combination with any one or more | 76 |
of the following data elements, when either the name or the data | 77 |
elements are not encrypted: | 78 |
(a) Social security number; | 79 |
(b) Driver's license number or state identification card | 80 |
number; | 81 |
(c) Account number or credit or debit card number, in | 82 |
combination with any required security code, access code, or | 83 |
password that would permit access to an individual's financial | 84 |
account. | 85 |
"Personal information" does not include publicly available | 86 |
information that is lawfully made available to the general public | 87 |
from federal, state, or local government records. | 88 |
(4) "State agency" has the same meaning as in section 1.60 of | 89 |
the Revised Code. | 90 |
(B)(1) Any state agency that owns or licenses computerized | 91 |
data that includes personal information shall disclose any breach | 92 |
of the security of the system, following discovery or notification | 93 |
of the breach in the security of the data, to any resident of this | 94 |
state whose unencrypted personal information was, or reasonably is | 95 |
believed to have been, acquired by an unauthorized person. | 96 |
(2) The state agency shall make the disclosure described in | 97 |
division (B)(1) of this section in the most expedient time | 98 |
possible and without unreasonable delay, subject to the legitimate | 99 |
needs of law enforcement activities described in division (D) of | 100 |
this section and consistent with any measures necessary to | 101 |
determine the scope of the breach and to restore the reasonable | 102 |
integrity of the data system. | 103 |
(C) Any state agency that maintains computerized data that | 104 |
includes personal information that the state agency does not own | 105 |
shall notify the owner or licensee of the information of any | 106 |
breach of the security of the data immediately following | 107 |
discovery, if the personal information was, or reasonably is | 108 |
believed to have been, acquired by an unauthorized person. | 109 |
(D) The state agency may delay the disclosure or notification | 110 |
required by division (B) or (C) of this section if a law | 111 |
enforcement agency determines that the disclosure or notification | 112 |
will impede a criminal investigation, in which case, the state | 113 |
agency shall make the disclosure or notification after the law | 114 |
enforcement agency determines that disclosure or notification will | 115 |
not compromise the investigation. | 116 |
(E) For purposes of this section, a state agency may disclose | 117 |
or make a notification by the following methods: | 118 |
(1) Written notice; | 119 |
(2) Electronic notice, if the disclosure or notice provided | 120 |
is consistent with the provisions regarding electronic records and | 121 |
signatures set forth in 15 U.S.C. 7001, as amended. | 122 |
(3) Notice consisting of all of the following: | 123 |
(a) Electronic mail notice when the state agency has | 124 |
electronic mail addresses for the subject persons requiring | 125 |
disclosure or notification; | 126 |
(b) Conspicuous posting of the disclosure or notice on the | 127 |
state agency's website, if the agency maintains one; | 128 |
(c) Notification to major statewide media. | 129 |
(F) Notwithstanding division (E) of this section, a state | 130 |
agency that maintains its own disclosure or notification | 131 |
procedures as part of an information security policy for the | 132 |
treatment of personal information, which procedures also are | 133 |
consistent with the timing requirements of this section, is in | 134 |
compliance with the disclosure or notification requirements of | 135 |
this section, if it notifies subject persons requiring disclosure | 136 |
or notification in accordance with its policies in the event of a | 137 |
breach of the security of the system. | 138 |
Sec. 1349.19. (A) As used in this section: | 139 |
(1) "Breach of the security of the system" means unauthorized | 140 |
acquisition of computerized data that compromises the security, | 141 |
confidentiality, or integrity of personal information maintained | 142 |
by a person or business. Good faith acquisition of personal | 143 |
information by an employee or agent of the person or business for | 144 |
the purposes of the person or business is not a breach of the | 145 |
security of the system, provided that the personal information is | 146 |
not used or subject to further unauthorized disclosure. | 147 |
(2) "Business" means both of the following: | 148 |
(a) A sole proprietorship, partnership, corporation, | 149 |
association, or other group, however organized and whether | 150 |
operating for profit or not for profit, including a financial | 151 |
institution organized, chartered, or holding a license authorizing | 152 |
operation under the laws of this state, any other state, the | 153 |
United States, or any other country, or the parent or subsidiary | 154 |
of a financial institution; | 155 |
(b) An entity that destroys records. | 156 |
(3) "Individual" means a natural person. | 157 |
(4) "Personal information" means an individual's first name | 158 |
or first initial and last name in combination with any one or more | 159 |
of the following data elements, when either the name or the data | 160 |
elements are not encrypted: | 161 |
(a) Social security number; | 162 |
(b) Driver's license number or state identification card | 163 |
number; | 164 |
(c) Account number or credit or debit card number, in | 165 |
combination with any required security code, access code, or | 166 |
password that would permit access to an individual's financial | 167 |
account. | 168 |
"Personal information" does not include publicly available | 169 |
information that is lawfully made available to the general public | 170 |
from federal, state, or local government records. | 171 |
(5) "Records" means any material, regardless of the physical | 172 |
form, on which information is recorded or preserved by any means, | 173 |
including in written or spoken words, graphically depicted, | 174 |
printed, or electromagnetically transmitted. "Records" does not | 175 |
include publicly available directories containing information an | 176 |
individual voluntarily has consented to have publicly disseminated | 177 |
or listed, such as name, address, or telephone number. | 178 |
(B)(1) Any person or business that conducts business in this | 179 |
state and that owns or licenses computerized data that includes | 180 |
personal information shall disclose any breach of the security of | 181 |
the system, following discovery or notification of the breach in | 182 |
the security of the data, to any resident of this state whose | 183 |
unencrypted personal information was, or reasonably is believed to | 184 |
have been, acquired by an unauthorized person. | 185 |
(2) The person or business shall make the disclosure | 186 |
described in division (B)(1) of this section in the most expedient | 187 |
time possible and without unreasonable delay, subject to the | 188 |
legitimate needs of law enforcement activities described in | 189 |
division (D) of this section and consistent with any measures | 190 |
necessary to determine the scope of the breach and to restore the | 191 |
reasonable integrity of the data system. | 192 |
(C) Any person or business that maintains computerized data | 193 |
that includes personal information that the person or business | 194 |
does not own shall notify the owner or licensee of the information | 195 |
of any breach of the security of the data immediately following | 196 |
discovery, if the personal information was, or reasonably is | 197 |
believed to have been, acquired by an unauthorized person. | 198 |
(D) The person or business may delay the disclosure or | 199 |
notification required by division (B) or (C) of this section if a | 200 |
law enforcement agency determines that the disclosure or | 201 |
notification will impede a criminal investigation, in which case, | 202 |
the person or business shall make the disclosure or notification | 203 |
after the law enforcement agency determines that disclosure or | 204 |
notification will not compromise the investigation. | 205 |
(E) For purposes of this section, a person or business may | 206 |
disclose or make a notification by the following methods: | 207 |
(1) Written notice; | 208 |
(2) Electronic notice, if the disclosure or notice provided | 209 |
is consistent with the provisions regarding electronic records and | 210 |
signatures set forth in 15 U.S.C. 7001, as amended. | 211 |
(3) Notice consisting of all of the following: | 212 |
(a) Electronic mail notice when the person or business has | 213 |
electronic mail addresses for the subject persons requiring | 214 |
disclosure or notification; | 215 |
(b) Conspicuous posting of the disclosure or notice on the | 216 |
person's or business' website, if the person or business maintains | 217 |
one; | 218 |
(c) Notification to major statewide media. | 219 |
(F) Notwithstanding division (E) of this section, a person or | 220 |
business that maintains its own disclosure or notification | 221 |
procedures as part of an information security policy for the | 222 |
treatment of personal information, which procedures also are | 223 |
consistent with the timing requirements of this section, is in | 224 |
compliance with the disclosure or notification requirements of | 225 |
this section, if the person or business notifies subject persons | 226 |
requiring disclosure or notification in accordance with its | 227 |
policies in the event of a breach of the security of the system. | 228 |
(G) Any waiver of this section is contrary to public policy | 229 |
and is void and unenforceable. | 230 |
(H) Any individual injured by a violation of this section has | 231 |
a cause of action for recovery of damages. | 232 |
Section 2. That existing section 1347.01 of the Revised Code | 233 |
is hereby repealed. | 234 |