Sec. 1345.51. There is hereby created in the state treasury | 20 |
the consumer
protection enforcement fund. The fund shall include | 21 |
civil penalties
ordered pursuant to divisions (A) and (D) of | 22 |
section 1345.07 of the Revised
Code and paid as provided in | 23 |
division (G) of that section, all civil penalties assessed under | 24 |
division (A) of section 1349.192 of the Revised Code, all costs | 25 |
awarded
to the attorney general and all penalties imposed under | 26 |
section 4549.48 of the
Revised Code, and all money unclaimed under | 27 |
section 4549.50 of the Revised
Code. The money in the consumer | 28 |
protection enforcement fund shall be used for
the sole purpose of | 29 |
paying expenses incurred by the consumer protection
section of the | 30 |
office of the attorney general. | 31 |
(C) "Special purpose district" means any geographic or | 41 |
political jurisdiction that is created by statute to perform a | 42 |
limited and specific function, and includes, but is not limited | 43 |
to, library districts, conservancy districts, metropolitan
housing | 44 |
authorities, park districts, port authorities, regional
airport | 45 |
authorities, regional transit authorities, regional water
and | 46 |
sewer districts, sanitary districts, soil and water
conservation | 47 |
districts, and regional planning agencies. | 48 |
(D) "Maintains" means state or local agency ownership of, | 49 |
control over, responsibility for, or accountability for systems | 50 |
and includes, but is not limited to, state or local agency | 51 |
depositing of information with a data processing center for | 52 |
storage, processing, or dissemination. An agency "maintains" all | 53 |
systems of records that are required by law to be kept by the | 54 |
agency. | 55 |
(E) "Personal information" means any information that | 56 |
describes anything about a person, or that indicates actions done | 57 |
by or to a person, or that indicates that a person possesses | 58 |
certain personal characteristics, and that contains, and can be | 59 |
retrieved from a system by, a name, identifying number, symbol,
or | 60 |
other identifier assigned to a person. | 61 |
(F) "System" means any collection or group of related
records | 62 |
that are kept in an organized manner and that are
maintained by a | 63 |
state or local agency, and from which personal
information is | 64 |
retrieved by the name of the person or by some
identifying number, | 65 |
symbol, or other identifier assigned to the
person. "System" | 66 |
includes both records that are manually stored
and records that | 67 |
are stored using electronic data processing
equipment. "System" | 68 |
does not include collected archival records
in the custody of or | 69 |
administered under the authority of the Ohio
historical society, | 70 |
published directories, reference materials or
newsletters, or | 71 |
routine information that is maintained for the
purpose of internal | 72 |
office administration, the use of which would
not adversely affect | 73 |
a person. | 74 |
(2)(a) "Breach of the security of the system" means | 90 |
unauthorized access to and acquisition of computerized data that | 91 |
compromises the security or confidentiality of personal | 92 |
information owned or licensed by a state agency or an agency of a | 93 |
political subdivision and that causes, reasonably is believed to | 94 |
have caused, or reasonably is believed will cause a material risk | 95 |
of identity theft or other fraud to the person or property of a | 96 |
resident of this state. | 97 |
(3) "Consumer reporting agency that compiles and maintains | 109 |
files on consumers on a nationwide basis" means a consumer | 110 |
reporting agency that regularly engages in the practice of | 111 |
assembling or evaluating, and maintaining, for the purpose of | 112 |
furnishing consumer reports to third parties bearing on a | 113 |
consumer's creditworthiness, credit standing, or credit capacity, | 114 |
each of the following regarding consumers residing nationwide: | 115 |
(6)(a) "Personal information" means, notwithstanding section | 123 |
1347.01 of the Revised Code, an individual's name, consisting of | 124 |
the individual's first name or first initial and last name, in | 125 |
combination with and linked to any one or more of the following | 126 |
data elements, when the data elements are not encrypted, redacted, | 127 |
or altered by any method or technology in such a manner that the | 128 |
data elements are unreadable: | 129 |
(11) "System" means, notwithstanding section 1347.01 of the | 167 |
Revised Code, any collection or group of related records that are | 168 |
kept in an organized manner, that are maintained by a state agency | 169 |
or an agency of a political subdivision, and from which personal | 170 |
information is retrieved by the name of the individual or by some | 171 |
identifying number, symbol, or other identifier assigned to the | 172 |
individual. "System" does not include any collected archival | 173 |
records in the custody of or administered under the authority of | 174 |
the Ohio historical society, any published directory, any | 175 |
reference material or newsletter, or any routine information that | 176 |
is maintained for the purpose of internal office administration of | 177 |
the agency, if the use of the directory, material, newsletter, or | 178 |
information would not adversely affect an individual and if there | 179 |
has been no unauthorized external breach of the directory, | 180 |
material, newsletter, or information. | 181 |
(B)(1) Any state agency or agency of a political subdivision | 182 |
that owns or licenses computerized data that includes personal | 183 |
information shall disclose any breach of the security of the | 184 |
system, following its discovery or notification of the breach of | 185 |
the security of the system, to any resident of this state whose | 186 |
personal information was, or reasonably is believed to have been, | 187 |
accessed and acquired by an unauthorized person if the access and | 188 |
acquisition by the unauthorized person causes or reasonably is | 189 |
believed will cause a material risk of identity theft or other | 190 |
fraud to the resident. The disclosure described in this division | 191 |
may be made pursuant to any provision of a contract entered into | 192 |
by the state agency or agency of a political subdivision with any | 193 |
person or another state agency or agency of a political | 194 |
subdivision prior to the date the breach of the security of the | 195 |
system occurred if that contract does not conflict with any | 196 |
provision of this section. For purposes of this section, a | 197 |
resident of this state is an individual whose principal mailing | 198 |
address as reflected in the records of the state agency or agency | 199 |
of a political subdivision is in this state. | 200 |
(2) The state agency or agency of a political subdivision | 201 |
shall make the disclosure described in division (B)(1) of this | 202 |
section in the most expedient time possible but not later than | 203 |
forty-five days following its discovery or notification of the | 204 |
breach in the security of the system, subject to the legitimate | 205 |
needs of law enforcement activities described in division (D) of | 206 |
this section and consistent with any measures necessary to | 207 |
determine the scope of the breach, including which residents' | 208 |
personal information was accessed and acquired, and to restore the | 209 |
reasonable integrity of the data system. | 210 |
(C) Any state agency or agency of a political subdivision | 211 |
that, on behalf of or at the direction of another state agency or | 212 |
agency of a political subdivision, is the custodian of or stores | 213 |
computerized data that includes personal information shall notify | 214 |
that other state agency or agency of a political subdivision of | 215 |
any breach of the security of the system in an expeditious manner, | 216 |
if the personal information was, or reasonably is believed to have | 217 |
been, accessed and acquired by an unauthorized person and if the | 218 |
access and acquisition by the unauthorized person causes or | 219 |
reasonably is believed will cause a material risk of identity | 220 |
theft or other fraud to a resident of this state. | 221 |
(D) The state agency or agency of a political subdivision may | 222 |
delay the disclosure or notification required by division (B), | 223 |
(C), or (F) of this section if a law enforcement agency determines | 224 |
that the disclosure or notification will impede a criminal | 225 |
investigation or jeopardize homeland or national security, in | 226 |
which case, the state agency or agency of a political subdivision | 227 |
shall make the disclosure or notification after the law | 228 |
enforcement agency determines that disclosure or notification will | 229 |
not compromise the investigation or jeopardize homeland or | 230 |
national security. | 231 |
(4) Substitute notice in accordance with this division, if | 241 |
the state agency or agency of a political subdivision required to | 242 |
disclose demonstrates that the agency does not have sufficient | 243 |
contact information to provide notice in a manner described in | 244 |
division (E)(1), (2), or (3) of this section, or that the cost of | 245 |
providing disclosure or notice to residents to whom disclosure or | 246 |
notification is required would exceed two hundred fifty thousand | 247 |
dollars, or that the affected class of subject residents to whom | 248 |
disclosure or notification is required exceeds five hundred | 249 |
thousand persons. Substitute notice under this division shall | 250 |
consist of all of the following: | 251 |
(F) If a state agency or agency of a political subdivision | 281 |
discovers circumstances that require disclosure under this section | 282 |
to more than one thousand residents of this state involved in a | 283 |
single occurrence of a breach of the security of the system, the | 284 |
state agency or agency of a political subdivision shall notify, | 285 |
without unreasonable delay, all consumer reporting agencies that | 286 |
compile and maintain files on consumers on a nationwide basis of | 287 |
the timing, distribution, and content of the disclosure given by | 288 |
the state agency or agency of a political subdivision to the | 289 |
residents of this state. In no case shall a state agency or agency | 290 |
of a political subdivision that is required to make a notification | 291 |
required by this division delay any disclosure or notification | 292 |
required by division (B) or (C) of this section in order to make | 293 |
the notification required by this division. | 294 |
(1)(a) "Breach of the security of the system" means | 301 |
unauthorized access to and acquisition of computerized data that | 302 |
compromises the security or confidentiality of personal | 303 |
information owned or licensed by a person and that causes, | 304 |
reasonably is believed to have caused, or reasonably is believed | 305 |
will cause a material risk of identity theft or other fraud to the | 306 |
person or property of a resident of this state. | 307 |
(2) "Business entity" means a sole proprietorship, | 318 |
partnership, corporation, association, or other group, however | 319 |
organized and whether operating for profit or not for profit, | 320 |
including a financial institution organized, chartered, or holding | 321 |
a license authorizing operation under the laws of this state, any | 322 |
other state, the United States, or any other country, or the | 323 |
parent or subsidiary of a financial institution. | 324 |
(3) "Consumer reporting agency that compiles and maintains | 325 |
files on consumers on a nationwide basis" means a consumer | 326 |
reporting agency that regularly engages in the practice of | 327 |
assembling or evaluating, and maintaining, for the purpose of | 328 |
furnishing consumer reports to third parties bearing on a | 329 |
consumer's creditworthiness, credit standing, or credit capacity, | 330 |
each of the following regarding consumers residing nationwide: | 331 |
(7)(a) "Personal information" means an individual's name, | 342 |
consisting of the individual's first name or first initial and | 343 |
last name, in combination with and linked to any one or more of | 344 |
the following data elements, when the data elements are not | 345 |
encrypted, redacted, or altered by any method or technology in | 346 |
such a manner that the data elements are unreadable: | 347 |
(10) "System" means any collection or group of related | 381 |
records that are kept in an organized manner, that are maintained | 382 |
by a person, and from which personal information is retrieved by | 383 |
the name of the individual or by some identifying number, symbol, | 384 |
or other identifier assigned to the individual. "System" does not | 385 |
include any published directory, any reference material or | 386 |
newsletter, or any routine information that is maintained for the | 387 |
purpose of internal office administration of the person, if the | 388 |
use of the directory, material, newsletter, or information would | 389 |
not adversely affect an individual, and there has been no | 390 |
unauthorized external breach of the directory, material, | 391 |
newsletter, or information. | 392 |
(B)(1) Any person that owns or licenses computerized data | 393 |
that includes personal information shall disclose any breach of | 394 |
the security of the system, following its discovery or | 395 |
notification of the breach of the security of the system, to any | 396 |
resident of this state whose personal information was, or | 397 |
reasonably is believed to have been, accessed and acquired by an | 398 |
unauthorized person if the access and acquisition by the | 399 |
unauthorized person causes or reasonably is believed will cause a | 400 |
material risk of identity theft or other fraud to the resident. | 401 |
The disclosure described in this division may be made pursuant to | 402 |
any provision of a contract entered into by the person with | 403 |
another person prior to the date the breach of the security of the | 404 |
system occurred if that contract does not conflict with any | 405 |
provision of this section and does not waive any provision of this | 406 |
section. For purposes of this section, a resident of this state is | 407 |
an individual whose principal mailing address as reflected in the | 408 |
records of the person is in this state. | 409 |
(2) The person shall make the disclosure described in | 410 |
division (B)(1) of this section in the most expedient time | 411 |
possible but not later than forty-five days following its | 412 |
discovery or notification of the breach in the security of the | 413 |
system, subject to the legitimate needs of law enforcement | 414 |
activities described in division (D) of this section and | 415 |
consistent with any measures necessary to determine the scope of | 416 |
the breach, including which residents' personal information was | 417 |
accessed and acquired, and to restore the reasonable integrity of | 418 |
the data system. | 419 |
(C) Any person that, on behalf of or at the direction of | 420 |
another person or on behalf of or at the direction of any | 421 |
governmental entity, is the custodian of or stores computerized | 422 |
data that includes personal information shall notify that other | 423 |
person or governmental entity of any breach of the security of the | 424 |
system in an expeditious manner, if the personal information was, | 425 |
or reasonably is believed to have been, accessed and acquired by | 426 |
an unauthorized person and if the access and acquisition by the | 427 |
unauthorized person causes or reasonably is believed will cause a | 428 |
material risk of identity theft or other fraud to a resident of | 429 |
this state. | 430 |
(D) The person may delay the disclosure or notification | 431 |
required by division (B), (C), or (G) of this section if a law | 432 |
enforcement agency determines that the disclosure or notification | 433 |
will impede a criminal investigation or jeopardize homeland or | 434 |
national security, in which case, the person shall make the | 435 |
disclosure or notification after the law enforcement agency | 436 |
determines that disclosure or notification will not compromise the | 437 |
investigation or jeopardize homeland or national security. | 438 |
(4) Substitute notice in accordance with this division, if | 446 |
the person required to disclose demonstrates that the person does | 447 |
not have sufficient contact information to provide notice in a | 448 |
manner described in division (E)(1), (2), or (3) of this section, | 449 |
or that the cost of providing disclosure or notice to residents to | 450 |
whom disclosure or notification is required would exceed two | 451 |
hundred fifty thousand dollars, or that the affected class of | 452 |
subject residents to whom disclosure or notification is required | 453 |
exceeds five hundred thousand persons. Substitute notice under | 454 |
this division shall consist of all of the following: | 455 |
(F)(1) A financial institution, trust company, or credit | 481 |
union or any affiliate of a financial institution, trust company, | 482 |
or credit union that is required by federal law, including, but | 483 |
not limited to, any federal statute, regulation, regulatory | 484 |
guidance, or other regulatory action, to notify its customers of | 485 |
an information security breach with respect to information about | 486 |
those customers and that is subject to examination by its | 487 |
functional government regulatory agency for compliance with the | 488 |
applicable federal law, is exempt from the requirements of this | 489 |
section. | 490 |
(G) If a person discovers circumstances that require | 496 |
disclosure under this section to more than one thousand residents | 497 |
of this state involved in a single occurrence of a breach of the | 498 |
security of the system, the person shall notify, without | 499 |
unreasonable delay, all consumer reporting agencies that compile | 500 |
and maintain files on consumers on a nationwide basis of the | 501 |
timing, distribution, and content of the disclosure given by the | 502 |
person to the residents of this state. In no case shall a person | 503 |
that is required to make a notification required by this division | 504 |
delay any disclosure or notification required by division (B) or | 505 |
(C) of this section in order to make the notification required by | 506 |
this division. | 507 |
(D)(1) If the attorney general under division (C) of this | 533 |
section subpoenas the production of any relevant matter that is | 534 |
located outside this state, the attorney general may designate a | 535 |
representative, including an official of the state in which that | 536 |
relevant matter is located, to inspect the relevant matter on the | 537 |
attorney general's behalf. The attorney general may carry out | 538 |
similar requests received from officials of other states. | 539 |
(E) Any person who is subpoenaed as a witness or to produce | 545 |
relevant matter pursuant to division (C) of this section may file | 546 |
in the court of common pleas of Franklin county, the county in | 547 |
this state in which the person resides, or the county in this | 548 |
state in which the person's principal place of business is located | 549 |
a petition to extend for good cause shown the date on which the | 550 |
subpoena is to be returned or to modify or quash for good cause | 551 |
shown that subpoena. The person may file the petition at any time | 552 |
prior to the date specified for the return of the subpoena or | 553 |
within twenty days after the service of the subpoena, whichever is | 554 |
earlier. | 555 |
(F) Any person who is subpoenaed as a witness or to produce | 556 |
relevant matter pursuant to division (C) of this section shall | 557 |
comply with the terms of the subpoena unless the court orders | 558 |
otherwise prior to the date specified for the return of the | 559 |
subpoena or, if applicable, that date as extended. If a person | 560 |
fails without lawful excuse to obey a subpoena, the attorney | 561 |
general may apply to the court of common pleas for an order that | 562 |
does one or more of the following: | 563 |
Sec. 1349.192. (A)(1) The attorney general shall have the | 579 |
exclusive authority to bring a civil action in a court of common | 580 |
pleas for appropriate relief under this section, including a | 581 |
temporary restraining order, preliminary or permanent injunction, | 582 |
and civil penalties, if it appears that a state agency or an | 583 |
agency of a political subdivision has failed or is failing to | 584 |
comply with section 1347.12 of the Revised Code or that a person | 585 |
has failed or is failing to comply with section 1349.19 of the | 586 |
Revised Code. Upon its finding that a state agency or an agency of | 587 |
a political subdivision has failed to comply with section 1347.12 | 588 |
of the Revised Code or that a person has failed to comply with | 589 |
section 1349.19 of the Revised Code, the court shall impose a | 590 |
civil penalty upon the state agency, agency of a political | 591 |
subdivision, or person as follows: | 592 |
(b) If the state agency, agency of a political subdivision, | 599 |
or person has intentionally or recklessly failed to comply with | 600 |
the applicable section for more than sixty days, subject to | 601 |
division (A)(1)(c) of this section, a civil penalty in the amount | 602 |
specified in division (A)(1)(a) of this section for each day of | 603 |
the first sixty days that the agency or person fails to comply | 604 |
with the section and, for each day commencing with the sixty-first | 605 |
day that the state agency, agency of a political subdivision, or | 606 |
person has failed to comply with the section, a civil penalty of | 607 |
up to five thousand dollars for each such day the agency or person | 608 |
fails to comply with the section; | 609 |
(c) If the state agency, agency of a political subdivision, | 610 |
or person has intentionally or recklessly failed to comply with | 611 |
the applicable section for more than ninety days, a civil penalty | 612 |
in the amount specified in division (A)(1)(a) of this section for | 613 |
each day of the first sixty days that the agency or person fails | 614 |
to comply with the section, a civil penalty of up to five thousand | 615 |
dollars for each day commencing with the sixty-first day and | 616 |
continuing through the ninetieth day that the agency or person | 617 |
fails to comply with the section, and, for each day commencing | 618 |
with the ninety-first day that the state agency, agency of a | 619 |
political subdivision, or person has failed to comply with the | 620 |
section, a civil penalty of up to ten thousand dollars for each | 621 |
such day the agency or person fails to comply with the section. | 622 |
(a) If the defendant in the civil action is a state agency, | 629 |
an agency of a political subdivision, or a person that is a | 630 |
business entity, whether or not the high managerial officer, | 631 |
agent, or employee of the agency or business entity having | 632 |
supervisory responsibility for compliance with section 1347.12 or | 633 |
1349.19 of the Revised Code, whichever is applicable, acted in bad | 634 |
faith in failing to comply with the section. | 635 |
Section 3. This act deals with subject matter that is of | 653 |
statewide concern. It is the intent of the General Assembly that | 654 |
this act supersede and preempt all rules, regulations, | 655 |
resolutions, codes, and ordinances of all counties, municipal | 656 |
corporations, townships, and agencies of counties, municipal | 657 |
corporations, and townships that pertain to matters that are | 658 |
expressly set forth or regulated under this act. | 659 |