Sec. 1345.51. There is hereby created in the state treasury | 15 |
the consumer
protection enforcement fund. The fund shall include | 16 |
civil penalties
ordered pursuant to divisions (A) and (D) of | 17 |
section 1345.07 of the Revised
Code and paid as provided in | 18 |
division (G) of that section, all civil penalties assessed under | 19 |
division (A) of section 1349.192 of the Revised Code, all costs | 20 |
awarded
to the attorney general and all penalties imposed under | 21 |
section 4549.48 of the
Revised Code, and all money unclaimed under | 22 |
section 4549.50 of the Revised
Code. The money in the consumer | 23 |
protection enforcement fund shall be used for
the sole purpose of | 24 |
paying expenses incurred by the consumer protection
section of the | 25 |
office of the attorney general. | 26 |
(C) "Special purpose district" means any geographic or | 36 |
political jurisdiction that is created by statute to perform a | 37 |
limited and specific function, and includes, but is not limited | 38 |
to, library districts, conservancy districts, metropolitan
housing | 39 |
authorities, park districts, port authorities, regional
airport | 40 |
authorities, regional transit authorities, regional water
and | 41 |
sewer districts, sanitary districts, soil and water
conservation | 42 |
districts, and regional planning agencies. | 43 |
(D) "Maintains" means state or local agency ownership of, | 44 |
control over, responsibility for, or accountability for systems | 45 |
and includes, but is not limited to, state or local agency | 46 |
depositing of information with a data processing center for | 47 |
storage, processing, or dissemination. An agency "maintains" all | 48 |
systems of records that are required by law to be kept by the | 49 |
agency. | 50 |
(E) "Personal information" means any information that | 51 |
describes anything about a person, or that indicates actions done | 52 |
by or to a person, or that indicates that a person possesses | 53 |
certain personal characteristics, and that contains, and can be | 54 |
retrieved from a system by, a name, identifying number, symbol,
or | 55 |
other identifier assigned to a person. | 56 |
(F) "System" means any collection or group of related
records | 57 |
that are kept in an organized manner and that are
maintained by a | 58 |
state or local agency, and from which personal
information is | 59 |
retrieved by the name of the person or by some
identifying number, | 60 |
symbol, or other identifier assigned to the
person. "System" | 61 |
includes both records that are manually stored
and records that | 62 |
are stored using electronic data processing
equipment. "System" | 63 |
does not include collected archival records
in the custody of or | 64 |
administered under the authority of the Ohio
historical society, | 65 |
published directories, reference materials or
newsletters, or | 66 |
routine information that is maintained for the
purpose of internal | 67 |
office administration, the use of which would
not adversely affect | 68 |
a person. | 69 |
(1) "Breach of the security of the system" means unauthorized | 82 |
acquisition of computerized data that compromises the security, | 83 |
confidentiality, or integrity of personal information maintained | 84 |
by a state agency and that causes or reasonably is believed to | 85 |
cause injury or loss to the person or property of a resident of | 86 |
this state. Good faith acquisition of personal information by an | 87 |
employee or agent of the state agency for the purposes of the | 88 |
state agency is not a breach of the security of the system, | 89 |
provided that the personal information is not used or subject to | 90 |
further unauthorized disclosure. Acquisition of personal | 91 |
information pursuant to a search warrant, subpoena, or other court | 92 |
order is not a breach of the security of the system. | 93 |
(2) "Consumer reporting agency that compiles and maintains | 94 |
files on consumers on a nationwide basis" means a consumer | 95 |
reporting agency that, for the purpose of furnishing consumer | 96 |
reports to third parties bearing on a consumer's creditworthiness, | 97 |
credit standing, or credit capacity, regularly engages in the | 98 |
practice of assembling or evaluating, and maintaining, each of the | 99 |
following regarding consumers residing nationwide: | 100 |
(B)(1) Any state agency that maintains computerized data that | 124 |
includes personal information shall disclose any breach of the | 125 |
security of the system, following its discovery or notification of | 126 |
the breach of the security of the system, to any resident of this | 127 |
state whose personal information was, or reasonably is believed to | 128 |
have been, acquired by an unauthorized person. The disclosure | 129 |
described in this division may be made pursuant to any provision | 130 |
of a contract entered into by the state agency with any person or | 131 |
another state agency prior to the date the breach of the security | 132 |
of the system occurred if that contract does not conflict with any | 133 |
provision of this section. For purposes of this section, a | 134 |
resident of this state is an individual whose principal mailing | 135 |
address as reflected in the records of the state agency is in this | 136 |
state. | 137 |
(2) The state agency shall make the disclosure described in | 138 |
division (B)(1) of this section in the most expedient time | 139 |
possible but not later than forty-five days following its | 140 |
discovery or notification of the breach in the security of the | 141 |
system, subject to the legitimate needs of law enforcement | 142 |
activities described in division (D) of this section and | 143 |
consistent with any measures necessary to determine the scope of | 144 |
the breach and to restore the reasonable integrity of the data | 145 |
system. | 146 |
(D) The state agency may delay the disclosure or notification | 153 |
required by division (B) or (C) of this section if a law | 154 |
enforcement agency determines that the disclosure or notification | 155 |
will impede a criminal investigation, in which case, the state | 156 |
agency shall make the disclosure or notification after the law | 157 |
enforcement agency determines that disclosure or notification will | 158 |
not compromise the investigation. | 159 |
(F) Notwithstanding division (E) of this section, a state | 174 |
agency that maintains its own disclosure or notification | 175 |
procedures as part of an information privacy or security policy | 176 |
for the treatment of personal information, which procedures also | 177 |
are consistent with the timing requirements of this section, is in | 178 |
compliance with the disclosure or notification requirements of | 179 |
this section if it notifies subject persons requiring disclosure | 180 |
or notification in accordance with its policies in the event of a | 181 |
breach of the security of the system. | 182 |
(G) If a state agency discovers circumstances that require | 183 |
disclosure under this section to more than one thousand residents | 184 |
of this state involved in a single occurrence of a breach of the | 185 |
security of the system, the state agency shall notify, without | 186 |
unreasonable delay, all consumer reporting agencies that compile | 187 |
and maintain files on consumers on a nationwide basis of the | 188 |
timing, distribution, and content of the disclosure given by the | 189 |
state agency to the residents of this state. | 190 |
(1) "Breach of the security of the system" means unauthorized | 196 |
acquisition of computerized data that compromises the security, | 197 |
confidentiality, or integrity of personal information maintained | 198 |
by a person or business and that causes or reasonably is believed | 199 |
to cause injury or loss to the person or property of a resident of | 200 |
this state. Good faith acquisition of personal information by an | 201 |
employee or agent of the person or business for the purposes of | 202 |
the person or business is not a breach of the security of the | 203 |
system, provided that the personal information is not used or | 204 |
subject to further unauthorized disclosure. Acquisition of | 205 |
personal information pursuant to a search warrant, subpoena, or | 206 |
other court order is not a breach of the security of the system. | 207 |
(a) A sole proprietorship, partnership, corporation, | 209 |
association, or other group, however organized and whether | 210 |
operating for profit or not for profit, including a financial | 211 |
institution organized, chartered, or holding a license authorizing | 212 |
operation under the laws of this state, any other state, the | 213 |
United States, or any other country, or the parent or subsidiary | 214 |
of a financial institution; | 215 |
(3) "Consumer reporting agency that compiles and maintains | 217 |
files on consumers on a nationwide basis" means a consumer | 218 |
reporting agency that, for the purpose of furnishing consumer | 219 |
reports to third parties bearing on a consumer's creditworthiness, | 220 |
credit standing, or credit capacity, regularly engages in the | 221 |
practice of assembling or evaluating, and maintaining, each of the | 222 |
following regarding consumers residing nationwide: | 223 |
(5) "Maintains" means a person's or business's ownership of, | 229 |
control over, responsibility for, or accountability for systems | 230 |
and includes, but is not limited to, a person's or business's | 231 |
depositing of information with a data processing center for | 232 |
storage, processing, or dissemination. A person or business | 233 |
"maintains" all systems of records that are required by law to be | 234 |
kept by the person or business. | 235 |
(7) "Records" means any material, regardless of the physical | 252 |
form, on which information is recorded or preserved by any means, | 253 |
including in written or spoken words, graphically depicted, | 254 |
printed, or electromagnetically transmitted. "Records" does not | 255 |
include publicly available directories containing information an | 256 |
individual voluntarily has consented to have publicly disseminated | 257 |
or listed, such as name, address, or telephone number. | 258 |
(8) "System" means any collection or group of related records | 259 |
that are kept in an organized manner, that are maintained by a | 260 |
state or business, and from which personal information is | 261 |
retrieved by the name of the person or by some identifying number, | 262 |
symbol, or other identifier assigned to the person. "System" | 263 |
includes both records that are manually stored and records that | 264 |
are stored using electronic data processing equipment. "System" | 265 |
does not include published directories, reference materials or | 266 |
newsletters, or routine information that is maintained for the | 267 |
purpose of internal office administration of the person or | 268 |
business and the use of which would not adversely affect a person. | 269 |
(B)(1) Any person or business that conducts business in this | 270 |
state and that maintains computerized data that includes personal | 271 |
information shall disclose any breach of the security of the | 272 |
system, following its discovery or notification of the breach of | 273 |
the security of the system, to any resident of this state whose | 274 |
personal information was, or reasonably is believed to have been, | 275 |
acquired by an unauthorized person. The disclosure described in | 276 |
this division may be made pursuant to any provision of a contract | 277 |
entered into by the person or business with another person or | 278 |
business prior to the date the breach of the security of the | 279 |
system occurred if that contract does not conflict with any | 280 |
provision of this section and does not waive any provision of this | 281 |
section. For purposes of this section, a resident of this state is | 282 |
an individual whose principal mailing address as reflected in the | 283 |
records of the person or business is in this state. | 284 |
(2) The person or business shall make the disclosure | 285 |
described in division (B)(1) of this section in the most expedient | 286 |
time possible but not later than forty-five days following its | 287 |
discovery or notification of the breach in the security of the | 288 |
system, subject to the legitimate needs of law enforcement | 289 |
activities described in division (D) of this section and | 290 |
consistent with any measures necessary to determine the scope of | 291 |
the breach and to restore the reasonable integrity of the data | 292 |
system. | 293 |
(D) The person or business may delay the disclosure or | 300 |
notification required by division (B) or (C) of this section if a | 301 |
law enforcement agency determines that the disclosure or | 302 |
notification will impede a criminal investigation, in which case, | 303 |
the person or business shall make the disclosure or notification | 304 |
after the law enforcement agency determines that disclosure or | 305 |
notification will not compromise the investigation. | 306 |
(F)(1) Notwithstanding division (E) of this section, a person | 322 |
or business that maintains its own disclosure or notification | 323 |
procedures as part of an information privacy or security policy | 324 |
for the treatment of personal information, which procedures also | 325 |
are consistent with the timing requirements of this section, is in | 326 |
compliance with the disclosure or notification requirements of | 327 |
this section if the person or business notifies subject persons | 328 |
requiring disclosure or notification in accordance with its | 329 |
policies in the event of a breach of the security of the system. | 330 |
(2) A financial institution, trust company, or credit union | 331 |
or any affiliate of a financial institution, trust company, or | 332 |
credit union that is required by federal law, including, but not | 333 |
limited to, any federal statute, regulation, regulatory guidance, | 334 |
or other regulatory action, to notify its customers of an | 335 |
information security breach with respect to information about | 336 |
those customers and that is subject to examination by its | 337 |
functional government regulatory agency for compliance with the | 338 |
applicable federal law, is exempt from the requirements of this | 339 |
section. | 340 |
(G) If a person or business discovers circumstances that | 346 |
require disclosure under this section to more than one thousand | 347 |
residents of this state involved in a single occurrence of a | 348 |
breach of the security of the system, the person or business shall | 349 |
notify, without unreasonable delay, all consumer reporting | 350 |
agencies that compile and maintain files on consumers on a | 351 |
nationwide basis of the timing, distribution, and content of the | 352 |
disclosure given by the person or business to the residents of | 353 |
this state. | 354 |
(D)(1) If the attorney general under division (C) of this | 377 |
section subpoenas the production of any relevant matter that is | 378 |
located outside this state, the attorney general may designate a | 379 |
representative, including an official of the state in which that | 380 |
relevant matter is located, to inspect the relevant matter on the | 381 |
attorney general's behalf. The attorney general may carry out | 382 |
similar requests received from officials of other states. | 383 |
(E) Any person who is subpoenaed as a witness or to produce | 389 |
relevant matter pursuant to division (C) of this section may file | 390 |
in the court of common pleas of Franklin county, the county in | 391 |
this state in which the person resides, or the county in this | 392 |
state in which the person's principal place of business is located | 393 |
a petition to extend for good cause shown the date on which the | 394 |
subpoena is to be returned or to modify or quash for good cause | 395 |
shown that subpoena. The person may file the petition at any time | 396 |
prior to the date specified for the return of the subpoena or | 397 |
within twenty days after the service of the subpoena, whichever is | 398 |
earlier. | 399 |
(F) Any person who is subpoenaed as a witness or to produce | 400 |
relevant matter pursuant to division (C) of this section shall | 401 |
comply with the terms of the subpoena unless the court orders | 402 |
otherwise prior to the date specified for the return of the | 403 |
subpoena or, if applicable, that date as extended. If a person | 404 |
fails without lawful excuse to obey a subpoena, the attorney | 405 |
general may apply to the court of common pleas for an order that | 406 |
does one or more of the following: | 407 |
Sec. 1349.192. (A) The attorney general may bring a civil | 423 |
action in a court of common pleas for appropriate relief, | 424 |
including a temporary restraining order, preliminary or permanent | 425 |
injunction, and civil penalties, if it appears that a state agency | 426 |
has failed or is failing to comply with section 1347.12 of the | 427 |
Revised Code or that a person or business has failed or is failing | 428 |
to comply with section 1349.19 of the Revised Code. Upon its | 429 |
finding that a state agency has failed to comply with section | 430 |
1347.12 of the Revised Code, the court shall impose a civil | 431 |
penalty of not more than one thousand dollars per day for each day | 432 |
the state agency fails to comply with that section. Upon its | 433 |
finding that a person or business has failed to comply with | 434 |
section 1349.19 of the Revised Code, the court shall impose a | 435 |
civil penalty of not more than one thousand dollars for each day | 436 |
the person or business fails to comply with that section. Any | 437 |
civil penalty that is assessed under this division shall be | 438 |
deposited into the consumer protection enforcement fund created by | 439 |
section 1345.51 of the Revised Code. | 440 |
Section 3. This act deals with subject matter that is of | 453 |
statewide concern. It is the intent of the General Assembly that | 454 |
this act supersede and preempt all rules, regulations, | 455 |
resolutions, codes, and ordinances of all counties, municipal | 456 |
corporations, townships, and agencies of counties, municipal | 457 |
corporations, and townships that pertain to matters that are | 458 |
expressly set forth or regulated under this act. | 459 |