As Reported by the House Civil and Commercial Law Committee

126th General Assembly
Regular Session
2005-2006
Sub. H. B. No. 104


Representatives Martin, McGregor, Trakas, Wagoner, C. Evans, Perry, Seitz, Coley, Core, Harwood 



A BILL
To amend sections 1345.51 and 1347.01 and to enact 1
sections 1347.12, 1349.19, 1349.191, and 1349.192 2
of the Revised Code to require a state agency, 3
person, or business to contact individuals 4
residing in Ohio if unencrypted or unredacted 5
personal information about those individuals that 6
is maintained on the computers of the agency, 7
person, or business is obtained by unauthorized 8
persons and to authorize the Attorney General to 9
investigate and enforce compliance with the 10
requirements.11


BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF OHIO:

       Section 1.  That sections 1345.51 and 1347.01 be amended and 12
sections 1347.12, 1349.19, 1349.191, and 1349.192 of the Revised 13
Code be enacted to read as follows:14

       Sec. 1345.51.  There is hereby created in the state treasury 15
the consumer protection enforcement fund. The fund shall include 16
civil penalties ordered pursuant to divisions (A) and (D) of 17
section 1345.07 of the Revised Code and paid as provided in 18
division (G) of that section, all civil penalties assessed under 19
division (A) of section 1349.192 of the Revised Code, all costs 20
awarded to the attorney general and all penalties imposed under 21
section 4549.48 of the Revised Code, and all money unclaimed under 22
section 4549.50 of the Revised Code. The money in the consumer 23
protection enforcement fund shall be used for the sole purpose of 24
paying expenses incurred by the consumer protection section of the 25
office of the attorney general.26

       Sec. 1347.01.  As used in this chapter, except as otherwise 27
provided:28

       (A) "State agency" means the office of any elected state29
officer and any agency, board, commission, department, division,30
or educational institution of the state.31

       (B) "Local agency" means any municipal corporation, school32
district, special purpose district, or township of the state or33
any elected officer or board, bureau, commission, department,34
division, institution, or instrumentality of a county.35

       (C) "Special purpose district" means any geographic or36
political jurisdiction that is created by statute to perform a37
limited and specific function, and includes, but is not limited38
to, library districts, conservancy districts, metropolitan housing 39
authorities, park districts, port authorities, regional airport 40
authorities, regional transit authorities, regional water and 41
sewer districts, sanitary districts, soil and water conservation 42
districts, and regional planning agencies.43

       (D) "Maintains" means state or local agency ownership of,44
control over, responsibility for, or accountability for systems45
and includes, but is not limited to, state or local agency46
depositing of information with a data processing center for47
storage, processing, or dissemination. An agency "maintains" all48
systems of records that are required by law to be kept by the49
agency.50

       (E) "Personal information" means any information that51
describes anything about a person, or that indicates actions done52
by or to a person, or that indicates that a person possesses53
certain personal characteristics, and that contains, and can be54
retrieved from a system by, a name, identifying number, symbol, or 55
other identifier assigned to a person.56

       (F) "System" means any collection or group of related records 57
that are kept in an organized manner and that are maintained by a 58
state or local agency, and from which personal information is 59
retrieved by the name of the person or by some identifying number, 60
symbol, or other identifier assigned to the person. "System" 61
includes both records that are manually stored and records that 62
are stored using electronic data processing equipment. "System" 63
does not include collected archival records in the custody of or 64
administered under the authority of the Ohio historical society, 65
published directories, reference materials or newsletters, or 66
routine information that is maintained for the purpose of internal 67
office administration, the use of which would not adversely affect 68
a person.69

       (G) "Interconnection of systems" means a linking of systems 70
that belong to more than one agency, or to an agency and other 71
organizations, which linking of systems results in a system that 72
permits each agency or organization involved in the linking to 73
have unrestricted access to the systems of the other agencies and 74
organizations.75

       (H) "Combination of systems" means a unification of systems 76
that belong to more than one agency, or to an agency and another 77
organization, into a single system in which the records that 78
belong to each agency or organization may or may not be obtainable 79
by the others.80

       Sec. 1347.12.  (A) As used in this section:81

       (1) "Breach of the security of the system" means unauthorized 82
acquisition of computerized data that compromises the security, 83
confidentiality, or integrity of personal information maintained 84
by a state agency and that causes or reasonably is believed to 85
cause injury or loss to the person or property of a resident of 86
this state. Good faith acquisition of personal information by an 87
employee or agent of the state agency for the purposes of the 88
state agency is not a breach of the security of the system, 89
provided that the personal information is not used or subject to 90
further unauthorized disclosure. Acquisition of personal 91
information pursuant to a search warrant, subpoena, or other court 92
order is not a breach of the security of the system.93

       (2) "Consumer reporting agency that compiles and maintains 94
files on consumers on a nationwide basis" means a consumer 95
reporting agency that, for the purpose of furnishing consumer 96
reports to third parties bearing on a consumer's creditworthiness, 97
credit standing, or credit capacity, regularly engages in the 98
practice of assembling or evaluating, and maintaining, each of the 99
following regarding consumers residing nationwide:100

       (a) Public record information;101

       (b) Credit account information from persons who furnish that 102
information to the credit reporting agency regularly and in the 103
ordinary course of business.104

       (3) "Individual" means a natural person. 105

       (4) "Personal information" means an individual's first name 106
or first initial and last name in combination with any one or more 107
of the following data elements, when either the name or the data 108
elements are not encrypted, redacted, or altered by any method or 109
technology:110

       (a) Social security number;111

       (b) Driver's license number or state identification card 112
number;113

       (c) Account number or credit or debit card number, in 114
combination with any required security code, access code, or 115
password that would permit access to an individual's financial 116
account. 117

       "Personal information" does not include publicly available 118
information that is lawfully made available to the general public 119
from federal, state, or local government records or widely 120
distributed media.121

       (5) "State agency" has the same meaning as in section 1.60 of 122
the Revised Code.123

       (B)(1) Any state agency that maintains computerized data that 124
includes personal information shall disclose any breach of the 125
security of the system, following its discovery or notification of 126
the breach of the security of the system, to any resident of this 127
state whose personal information was, or reasonably is believed to 128
have been, acquired by an unauthorized person. The disclosure 129
described in this division may be made pursuant to any provision 130
of a contract entered into by the state agency with any person or 131
another state agency prior to the date the breach of the security 132
of the system occurred if that contract does not conflict with any 133
provision of this section. For purposes of this section, a 134
resident of this state is an individual whose principal mailing 135
address as reflected in the records of the state agency is in this 136
state.137

       (2) The state agency shall make the disclosure described in 138
division (B)(1) of this section in the most expedient time 139
possible but not later than forty-five days following its 140
discovery or notification of the breach in the security of the 141
system, subject to the legitimate needs of law enforcement 142
activities described in division (D) of this section and 143
consistent with any measures necessary to determine the scope of 144
the breach and to restore the reasonable integrity of the data 145
system.146

       (C) Any state agency that on behalf of another state agency 147
maintains computerized data that includes personal information 148
shall notify that other state agency of any breach of the security 149
of the system in an expeditious manner, if the personal 150
information was, or reasonably is believed to have been, acquired 151
by an unauthorized person.152

       (D) The state agency may delay the disclosure or notification 153
required by division (B) or (C) of this section if a law 154
enforcement agency determines that the disclosure or notification 155
will impede a criminal investigation, in which case, the state 156
agency shall make the disclosure or notification after the law 157
enforcement agency determines that disclosure or notification will 158
not compromise the investigation.159

       (E) For purposes of this section, a state agency may disclose 160
or make a notification by any of the following methods:161

       (1) Written notice;162

       (2) Electronic notice, if the disclosure or notice provided 163
is consistent with the provisions regarding electronic records and 164
signatures in 15 U.S.C. 7001, as amended;165

       (3) Telephone notice;166

       (4) Notice consisting of all of the following:167

       (a) Electronic mail notice when the state agency has 168
electronic mail addresses for the subject persons requiring 169
disclosure or notification;170

       (b) Conspicuous posting of the disclosure or notice on the 171
state agency's website, if the agency maintains one;172

       (c) Notification to major statewide media.173

       (F) Notwithstanding division (E) of this section, a state 174
agency that maintains its own disclosure or notification 175
procedures as part of an information privacy or security policy 176
for the treatment of personal information, which procedures also 177
are consistent with the timing requirements of this section, is in 178
compliance with the disclosure or notification requirements of 179
this section if it notifies subject persons requiring disclosure 180
or notification in accordance with its policies in the event of a 181
breach of the security of the system.182

       (G) If a state agency discovers circumstances that require 183
disclosure under this section to more than one thousand residents 184
of this state involved in a single occurrence of a breach of the 185
security of the system, the state agency shall notify, without 186
unreasonable delay, all consumer reporting agencies that compile 187
and maintain files on consumers on a nationwide basis of the 188
timing, distribution, and content of the disclosure given by the 189
state agency to the residents of this state.190

       (H) The attorney general, pursuant to sections 1349.191 and 191
1349.192 of the Revised Code, may conduct an investigation and 192
bring a civil action upon an alleged failure by a state agency to 193
comply with the requirements of this section.194

       Sec. 1349.19.  (A) As used in this section:195

       (1) "Breach of the security of the system" means unauthorized 196
acquisition of computerized data that compromises the security, 197
confidentiality, or integrity of personal information maintained 198
by a person or business and that causes or reasonably is believed 199
to cause injury or loss to the person or property of a resident of 200
this state. Good faith acquisition of personal information by an 201
employee or agent of the person or business for the purposes of 202
the person or business is not a breach of the security of the 203
system, provided that the personal information is not used or 204
subject to further unauthorized disclosure. Acquisition of 205
personal information pursuant to a search warrant, subpoena, or 206
other court order is not a breach of the security of the system.207

       (2) "Business" means both of the following:208

       (a) A sole proprietorship, partnership, corporation, 209
association, or other group, however organized and whether 210
operating for profit or not for profit, including a financial 211
institution organized, chartered, or holding a license authorizing 212
operation under the laws of this state, any other state, the 213
United States, or any other country, or the parent or subsidiary 214
of a financial institution;215

       (b) An entity that destroys records.216

       (3) "Consumer reporting agency that compiles and maintains 217
files on consumers on a nationwide basis" means a consumer 218
reporting agency that, for the purpose of furnishing consumer 219
reports to third parties bearing on a consumer's creditworthiness, 220
credit standing, or credit capacity, regularly engages in the 221
practice of assembling or evaluating, and maintaining, each of the 222
following regarding consumers residing nationwide:223

       (a) Public record information;224

       (b) Credit account information from persons who furnish that 225
information to the credit reporting agency regularly and in the 226
ordinary course of business.227

       (4) "Individual" means a natural person. 228

       (5) "Maintains" means a person's or business's ownership of, 229
control over, responsibility for, or accountability for systems 230
and includes, but is not limited to, a person's or business's 231
depositing of information with a data processing center for 232
storage, processing, or dissemination. A person or business 233
"maintains" all systems of records that are required by law to be 234
kept by the person or business.235

        (6) "Personal information" means an individual's first name 236
or first initial and last name in combination with any one or more 237
of the following data elements, when either the name or the data 238
elements are not encrypted, redacted, or altered by any method or 239
technology:240

       (a) Social security number;241

       (b) Driver's license number or state identification card 242
number;243

       (c) Account number or credit or debit card number, in 244
combination with any required security code, access code, or 245
password that would permit access to an individual's financial 246
account. 247

       "Personal information" does not include publicly available 248
information that is lawfully made available to the general public 249
from federal, state, or local government records or widely 250
distributed media.251

       (7) "Records" means any material, regardless of the physical 252
form, on which information is recorded or preserved by any means, 253
including in written or spoken words, graphically depicted, 254
printed, or electromagnetically transmitted. "Records" does not 255
include publicly available directories containing information an 256
individual voluntarily has consented to have publicly disseminated 257
or listed, such as name, address, or telephone number.258

       (8) "System" means any collection or group of related records 259
that are kept in an organized manner, that are maintained by a 260
state or business, and from which personal information is 261
retrieved by the name of the person or by some identifying number, 262
symbol, or other identifier assigned to the person. "System" 263
includes both records that are manually stored and records that 264
are stored using electronic data processing equipment. "System" 265
does not include published directories, reference materials or 266
newsletters, or routine information that is maintained for the 267
purpose of internal office administration of the person or 268
business and the use of which would not adversely affect a person.269

       (B)(1) Any person or business that conducts business in this 270
state and that maintains computerized data that includes personal 271
information shall disclose any breach of the security of the 272
system, following its discovery or notification of the breach of 273
the security of the system, to any resident of this state whose 274
personal information was, or reasonably is believed to have been, 275
acquired by an unauthorized person. The disclosure described in 276
this division may be made pursuant to any provision of a contract 277
entered into by the person or business with another person or 278
business prior to the date the breach of the security of the 279
system occurred if that contract does not conflict with any 280
provision of this section and does not waive any provision of this 281
section. For purposes of this section, a resident of this state is 282
an individual whose principal mailing address as reflected in the 283
records of the person or business is in this state.284

       (2) The person or business shall make the disclosure 285
described in division (B)(1) of this section in the most expedient 286
time possible but not later than forty-five days following its 287
discovery or notification of the breach in the security of the 288
system, subject to the legitimate needs of law enforcement 289
activities described in division (D) of this section and 290
consistent with any measures necessary to determine the scope of 291
the breach and to restore the reasonable integrity of the data 292
system.293

       (C) Any person or business that on behalf of another person 294
or business maintains computerized data that includes personal 295
information shall notify that other person or business of any 296
breach of the security of the system in an expeditious manner, if 297
the personal information was, or reasonably is believed to have 298
been, acquired by an unauthorized person.299

       (D) The person or business may delay the disclosure or 300
notification required by division (B) or (C) of this section if a 301
law enforcement agency determines that the disclosure or 302
notification will impede a criminal investigation, in which case, 303
the person or business shall make the disclosure or notification 304
after the law enforcement agency determines that disclosure or 305
notification will not compromise the investigation.306

       (E) For purposes of this section, a person or business may 307
disclose or make a notification by any of the following methods:308

       (1) Written notice;309

       (2) Electronic notice, if the disclosure or notice provided 310
is consistent with the provisions regarding electronic records and 311
signatures in 15 U.S.C. 7001, as amended;312

       (3) Telephone notice;313

       (4) Notice consisting of all of the following:314

       (a) Electronic mail notice when the person or business has 315
electronic mail addresses for the subject persons requiring 316
disclosure or notification;317

       (b) Conspicuous posting of the disclosure or notice on the 318
person's or business' website, if the person or business maintains 319
one;320

       (c) Notification to major statewide media.321

       (F)(1) Notwithstanding division (E) of this section, a person 322
or business that maintains its own disclosure or notification 323
procedures as part of an information privacy or security policy 324
for the treatment of personal information, which procedures also 325
are consistent with the timing requirements of this section, is in 326
compliance with the disclosure or notification requirements of 327
this section if the person or business notifies subject persons 328
requiring disclosure or notification in accordance with its 329
policies in the event of a breach of the security of the system.330

       (2) A financial institution, trust company, or credit union 331
or any affiliate of a financial institution, trust company, or 332
credit union that is required by federal law, including, but not 333
limited to, any federal statute, regulation, regulatory guidance, 334
or other regulatory action, to notify its customers of an 335
information security breach with respect to information about 336
those customers and that is subject to examination by its 337
functional government regulatory agency for compliance with the 338
applicable federal law, is exempt from the requirements of this 339
section.340

       (3) This section does not apply to any person or entity that 341
is regulated by sections 1171 to 1179 of the "Social Security 342
Act," chapter 531, 49 Stat. 620 (1935), 42 U.S.C. 1320d to 343
1320d-8, and any corresponding regulations in 45 C.F.R. Parts 160 344
and 164.345

       (G) If a person or business discovers circumstances that 346
require disclosure under this section to more than one thousand 347
residents of this state involved in a single occurrence of a 348
breach of the security of the system, the person or business shall 349
notify, without unreasonable delay, all consumer reporting 350
agencies that compile and maintain files on consumers on a 351
nationwide basis of the timing, distribution, and content of the 352
disclosure given by the person or business to the residents of 353
this state.354

       (H) Any waiver of this section is contrary to public policy 355
and is void and unenforceable.356

       (I) The attorney general may conduct pursuant to sections 357
1349.191 and 1349.192 of the Revised Code an investigation and 358
bring a civil action upon an alleged failure by a person or 359
business to comply with the requirements of this section.360

       Sec. 1349.191.  (A) As used in this section and section 361
1349.192 of the Revised Code:362

       (1) "Business" has the same meaning as in section 1349.19 of 363
the Revised Code.364

       (2) "State agency" has the same meaning as in section 1.60 of 365
the Revised Code.366

       (B) The attorney general may conduct an investigation if the 367
attorney general, based on complaints or the attorney general's 368
own inquiries, has reason to believe that a state agency has 369
failed or is failing to comply with section 1347.12 of the Revised 370
Code or that a person or business has failed or is failing to 371
comply with section 1349.19 of the Revised Code.372

       (C) In any investigation conducted pursuant to this section, 373
the attorney general may administer oaths, subpoena witnesses, 374
adduce evidence, and subpoena the production of any book, 375
document, record, or other relevant matter.376

       (D)(1) If the attorney general under division (C) of this 377
section subpoenas the production of any relevant matter that is 378
located outside this state, the attorney general may designate a 379
representative, including an official of the state in which that 380
relevant matter is located, to inspect the relevant matter on the 381
attorney general's behalf. The attorney general may carry out 382
similar requests received from officials of other states. 383

       (2) Any person who is subpoenaed to produce relevant matter 384
pursuant to division (C) of this section shall make that relevant 385
matter available at a convenient location within this state or the 386
state of the representative designated under division (D)(1) of 387
this section.388

       (E) Any person who is subpoenaed as a witness or to produce 389
relevant matter pursuant to division (C) of this section may file 390
in the court of common pleas of Franklin county, the county in 391
this state in which the person resides, or the county in this 392
state in which the person's principal place of business is located 393
a petition to extend for good cause shown the date on which the 394
subpoena is to be returned or to modify or quash for good cause 395
shown that subpoena. The person may file the petition at any time 396
prior to the date specified for the return of the subpoena or 397
within twenty days after the service of the subpoena, whichever is 398
earlier. 399

       (F) Any person who is subpoenaed as a witness or to produce 400
relevant matter pursuant to division (C) of this section shall 401
comply with the terms of the subpoena unless the court orders 402
otherwise prior to the date specified for the return of the 403
subpoena or, if applicable, that date as extended. If a person 404
fails without lawful excuse to obey a subpoena, the attorney 405
general may apply to the court of common pleas for an order that 406
does one or more of the following: 407

       (1) Compels the requested discovery;408

       (2) Adjudges the person in contempt of court;409

       (3) Grants injunctive relief to restrain the person from 410
failing to comply with section 1347.12 or 1349.19 of the Revised 411
Code, whichever is applicable;412

       (4) Grants injunctive relief to preserve or restore the 413
status quo;414

       (5) Grants other relief that may be required until the person 415
obeys the subpoena.416

       (G) The court shall impose a civil penalty on any person who 417
violates an order of a court issued under division (F) of this 418
section in the same manner as the imposition of a civil penalty 419
under section 1349.192 of the Revised Code for a failure to comply 420
with section 1347.12 or 1349.19 of the Revised Code, whichever is 421
applicable. 422

       Sec. 1349.192.  (A) The attorney general may bring a civil 423
action in a court of common pleas for appropriate relief, 424
including a temporary restraining order, preliminary or permanent 425
injunction, and civil penalties, if it appears that a state agency 426
has failed or is failing to comply with section 1347.12 of the 427
Revised Code or that a person or business has failed or is failing 428
to comply with section 1349.19 of the Revised Code. Upon its 429
finding that a state agency has failed to comply with section 430
1347.12 of the Revised Code, the court shall impose a civil 431
penalty of not more than one thousand dollars per day for each day 432
the state agency fails to comply with that section. Upon its 433
finding that a person or business has failed to comply with 434
section 1349.19 of the Revised Code, the court shall impose a 435
civil penalty of not more than one thousand dollars for each day 436
the person or business fails to comply with that section. Any 437
civil penalty that is assessed under this division shall be 438
deposited into the consumer protection enforcement fund created by 439
section 1345.51 of the Revised Code.440

       (B) Any state agency that is found by the court to have 441
failed to comply with section 1347.12 of the Revised Code or any 442
person or business that is found by the court to have failed to 443
comply with section 1349.19 of the Revised Code shall be liable to 444
the attorney general for the attorney general's costs in 445
conducting an investigation under section 1349.191 of the Revised 446
Code and bringing an action under this section. 447

       (C) The rights and remedies that are provided under this 448
section are in addition to any other rights or remedies that are 449
provided by law.450

       Section 2. That existing sections 1345.51 and 1347.01 of the 451
Revised Code are hereby repealed. 452

       Section 3. This act deals with subject matter that is of 453
statewide concern. It is the intent of the General Assembly that 454
this act supersede and preempt all rules, regulations, 455
resolutions, codes, and ordinances of all counties, municipal 456
corporations, townships, and agencies of counties, municipal 457
corporations, and townships that pertain to matters that are 458
expressly set forth or regulated under this act. 459