(2)(a) "Breach of the security of the system" means | 19 |
unauthorized access to and acquisition of computerized data that | 20 |
compromises the security or confidentiality of personal | 21 |
information owned or licensed by a state agency or an agency of a | 22 |
political subdivision and that causes, reasonably is believed to | 23 |
have caused, or reasonably is believed will cause a material risk | 24 |
of identity theft or other fraud to the person or property of a | 25 |
resident of this state. | 26 |
(3) "Consumer reporting agency that compiles and maintains | 38 |
files on consumers on a nationwide basis" means a consumer | 39 |
reporting agency that regularly engages in the practice of | 40 |
assembling or evaluating, and maintaining, for the purpose of | 41 |
furnishing consumer reports to third parties bearing on a | 42 |
consumer's creditworthiness, credit standing, or credit capacity, | 43 |
each of the following regarding consumers residing nationwide: | 44 |
(6)(a) "Personal information" means, notwithstanding section | 52 |
1347.01 of the Revised Code, an individual's name, consisting of | 53 |
the individual's first name or first initial and last name, in | 54 |
combination with and linked to any one or more of the following | 55 |
data elements, when the data elements are not encrypted, redacted, | 56 |
or altered by any method or technology in such a manner that the | 57 |
data elements are unreadable: | 58 |
(11) "System" means, notwithstanding section 1347.01 of the | 98 |
Revised Code, any collection or group of related records that are | 99 |
kept in an organized manner, that are maintained by a state agency | 100 |
or an agency of a political subdivision, and from which personal | 101 |
information is retrieved by the name of the individual or by some | 102 |
identifying number, symbol, or other identifier assigned to the | 103 |
individual. "System" does not include any collected archival | 104 |
records in the custody of or administered under the authority of | 105 |
the Ohio historical society, any published directory, any | 106 |
reference material or newsletter, or any routine information that | 107 |
is maintained for the purpose of internal office administration of | 108 |
the agency, if the use of the directory, material, newsletter, or | 109 |
information would not adversely affect an individual and if there | 110 |
has been no unauthorized external breach of the directory, | 111 |
material, newsletter, or information. | 112 |
(B)(1) Any state agency or agency of a political subdivision | 113 |
that owns or licenses computerized data that includes personal | 114 |
information shall disclose any breach of the security of the | 115 |
system, following its discovery or notification of the breach of | 116 |
the security of the system, to any resident of this state whose | 117 |
personal information was, or reasonably is believed to have been, | 118 |
accessed and acquired by an unauthorized person if the access and | 119 |
acquisition by the unauthorized person causes or reasonably is | 120 |
believed will cause a material risk of identity theft or other | 121 |
fraud to the resident. The disclosure described in this division | 122 |
may be made pursuant to any provision of a contract entered into | 123 |
by the state agency or agency of a political subdivision with any | 124 |
person or another state agency or agency of a political | 125 |
subdivision prior to the date the breach of the security of the | 126 |
system occurred if that contract does not conflict with any | 127 |
provision of this section. For purposes of this section, a | 128 |
resident of this state is an individual whose principal mailing | 129 |
address as reflected in the records of the state agency or agency | 130 |
of a political subdivision is in this state. | 131 |
(2) The state agency or agency of a political subdivision | 132 |
shall make the disclosure described in division (B)(1) of this | 133 |
section in the most expedient time possible but not later than | 134 |
forty-five days following its discovery or notification of the | 135 |
breach in the security of the system, subject to the legitimate | 136 |
needs of law enforcement activities described in division (D) of | 137 |
this section and consistent with any measures necessary to | 138 |
determine the scope of the breach, including which residents' | 139 |
personal information was accessed and acquired, and to restore the | 140 |
reasonable integrity of the data system. | 141 |
(3) Any state agency or agency of a political subdivision | 142 |
that is required to disclose a breach of the security of the | 143 |
system under division (B) of this section shall, within the time | 144 |
allowed for disclosure of the breach, report the breach to the | 145 |
attorney general in writing or by electronic mail. The report | 146 |
shall include the date of the breach, the number of people | 147 |
affected by the breach, the method used to notify persons affected | 148 |
by the breach, and any other information the attorney general may | 149 |
require. | 150 |
(C) Any state agency or agency of a political subdivision | 151 |
that, on behalf of or at the direction of another state agency or | 152 |
agency of a political subdivision, is the custodian of or stores | 153 |
computerized data that includes personal information shall notify | 154 |
that other state agency or agency of a political subdivision of | 155 |
any breach of the security of the system in an expeditious manner, | 156 |
if the personal information was, or reasonably is believed to have | 157 |
been, accessed and acquired by an unauthorized person and if the | 158 |
access and acquisition by the unauthorized person causes or | 159 |
reasonably is believed will cause a material risk of identity | 160 |
theft or other fraud to a resident of this state. | 161 |
(D) The state agency or agency of a political subdivision may | 162 |
delay the disclosure or notification required by division (B), | 163 |
(C), or (F) of this section if a law enforcement agency determines | 164 |
that the disclosure or notification will impede a criminal | 165 |
investigation or jeopardize homeland or national security, in | 166 |
which case, the state agency or agency of a political subdivision | 167 |
shall make the disclosure or notification after the law | 168 |
enforcement agency determines that disclosure or notification will | 169 |
not compromise the investigation or jeopardize homeland or | 170 |
national security. | 171 |
(4) Substitute notice in accordance with this division, if | 181 |
the state agency or agency of a political subdivision required to | 182 |
disclose demonstrates that the agency does not have sufficient | 183 |
contact information to provide notice in a manner described in | 184 |
division (E)(1), (2), or (3) of this section, or that the cost of | 185 |
providing disclosure or notice to residents to whom disclosure or | 186 |
notification is required would exceed two hundred fifty thousand | 187 |
dollars, or that the affected class of subject residents to whom | 188 |
disclosure or notification is required exceeds five hundred | 189 |
thousand persons. Substitute notice under this division shall | 190 |
consist of all of the following: | 191 |
(F) If a state agency or agency of a political subdivision | 221 |
discovers circumstances that require disclosure under this section | 222 |
to more than one thousand residents of this state involved in a | 223 |
single occurrence of a breach of the security of the system, the | 224 |
state agency or agency of a political subdivision shall notify, | 225 |
without unreasonable delay, all consumer reporting agencies that | 226 |
compile and maintain files on consumers on a nationwide basis of | 227 |
the timing, distribution, and content of the disclosure given by | 228 |
the state agency or agency of a political subdivision to the | 229 |
residents of this state. In no case shall a state agency or agency | 230 |
of a political subdivision that is required to make a notification | 231 |
required by this division delay any disclosure or notification | 232 |
required by division (B) or (C) of this section in order to make | 233 |
the notification required by this division. | 234 |
(1)(a) "Breach of the security of the system" means | 241 |
unauthorized access to and acquisition of computerized data that | 242 |
compromises the security or confidentiality of personal | 243 |
information owned or licensed by a person and that causes, | 244 |
reasonably is believed to have caused, or reasonably is believed | 245 |
will cause a material risk of identity theft or other fraud to the | 246 |
person or property of a resident of this state. | 247 |
(2) "Business entity" means a sole proprietorship, | 258 |
partnership, corporation, association, or other group, however | 259 |
organized and whether operating for profit or not for profit, | 260 |
including a financial institution organized, chartered, or holding | 261 |
a license authorizing operation under the laws of this state, any | 262 |
other state, the United States, or any other country, or the | 263 |
parent or subsidiary of a financial institution. | 264 |
(3) "Consumer reporting agency that compiles and maintains | 265 |
files on consumers on a nationwide basis" means a consumer | 266 |
reporting agency that regularly engages in the practice of | 267 |
assembling or evaluating, and maintaining, for the purpose of | 268 |
furnishing consumer reports to third parties bearing on a | 269 |
consumer's creditworthiness, credit standing, or credit capacity, | 270 |
each of the following regarding consumers residing nationwide: | 271 |
(7)(a) "Personal information" means an individual's name, | 282 |
consisting of the individual's first name or first initial and | 283 |
last name, in combination with and linked to any one or more of | 284 |
the following data elements, when the data elements are not | 285 |
encrypted, redacted, or altered by any method or technology in | 286 |
such a manner that the data elements are unreadable: | 287 |
(10) "System" means any collection or group of related | 321 |
records that are kept in an organized manner, that are maintained | 322 |
by a person, and from which personal information is retrieved by | 323 |
the name of the individual or by some identifying number, symbol, | 324 |
or other identifier assigned to the individual. "System" does not | 325 |
include any published directory, any reference material or | 326 |
newsletter, or any routine information that is maintained for the | 327 |
purpose of internal office administration of the person, if the | 328 |
use of the directory, material, newsletter, or information would | 329 |
not adversely affect an individual, and there has been no | 330 |
unauthorized external breach of the directory, material, | 331 |
newsletter, or information. | 332 |
(B)(1) Any person that owns or licenses computerized data | 333 |
that includes personal information shall disclose any breach of | 334 |
the security of the system, following its discovery or | 335 |
notification of the breach of the security of the system, to any | 336 |
resident of this state whose personal information was, or | 337 |
reasonably is believed to have been, accessed and acquired by an | 338 |
unauthorized person if the access and acquisition by the | 339 |
unauthorized person causes or reasonably is believed will cause a | 340 |
material risk of identity theft or other fraud to the resident. | 341 |
The disclosure described in this division may be made pursuant to | 342 |
any provision of a contract entered into by the person with | 343 |
another person prior to the date the breach of the security of the | 344 |
system occurred if that contract does not conflict with any | 345 |
provision of this section and does not waive any provision of this | 346 |
section. For purposes of this section, a resident of this state is | 347 |
an individual whose principal mailing address as reflected in the | 348 |
records of the person is in this state. | 349 |
(2) The person shall make the disclosure described in | 350 |
division (B)(1) of this section in the most expedient time | 351 |
possible but not later than forty-five days following its | 352 |
discovery or notification of the breach in the security of the | 353 |
system, subject to the legitimate needs of law enforcement | 354 |
activities described in division (D) of this section and | 355 |
consistent with any measures necessary to determine the scope of | 356 |
the breach, including which residents' personal information was | 357 |
accessed and acquired, and to restore the reasonable integrity of | 358 |
the data system. | 359 |
(3) Any person that is required to disclose a breach of the | 360 |
security of the system under division (B) of this section shall, | 361 |
within the time allowed for disclosure of the breach, report the | 362 |
breach to the attorney general in writing or by electronic mail. | 363 |
The report shall include the date of the breach, the number of | 364 |
people affected by the breach, the method used to notify persons | 365 |
affected by the breach, and any other information the attorney | 366 |
general may require. | 367 |
(C) Any person that, on behalf of or at the direction of | 368 |
another person or on behalf of or at the direction of any | 369 |
governmental entity, is the custodian of or stores computerized | 370 |
data that includes personal information shall notify that other | 371 |
person or governmental entity of any breach of the security of the | 372 |
system in an expeditious manner, if the personal information was, | 373 |
or reasonably is believed to have been, accessed and acquired by | 374 |
an unauthorized person and if the access and acquisition by the | 375 |
unauthorized person causes or reasonably is believed will cause a | 376 |
material risk of identity theft or other fraud to a resident of | 377 |
this state. | 378 |
(D) The person may delay the disclosure or notification | 379 |
required by division (B), (C), or (G) of this section if a law | 380 |
enforcement agency determines that the disclosure or notification | 381 |
will impede a criminal investigation or jeopardize homeland or | 382 |
national security, in which case, the person shall make the | 383 |
disclosure or notification after the law enforcement agency | 384 |
determines that disclosure or notification will not compromise the | 385 |
investigation or jeopardize homeland or national security. | 386 |
(4) Substitute notice in accordance with this division, if | 394 |
the person required to disclose demonstrates that the person does | 395 |
not have sufficient contact information to provide notice in a | 396 |
manner described in division (E)(1), (2), or (3) of this section, | 397 |
or that the cost of providing disclosure or notice to residents to | 398 |
whom disclosure or notification is required would exceed two | 399 |
hundred fifty thousand dollars, or that the affected class of | 400 |
subject residents to whom disclosure or notification is required | 401 |
exceeds five hundred thousand persons. Substitute notice under | 402 |
this division shall consist of all of the following: | 403 |
(F)(1) A financial institution, trust company, or credit | 429 |
union or any affiliate of a financial institution, trust company, | 430 |
or credit union that is required by federal law, including, but | 431 |
not limited to, any federal statute, regulation, regulatory | 432 |
guidance, or other regulatory action, to notify its customers of | 433 |
an information security breach with respect to information about | 434 |
those customers and that is subject to examination by its | 435 |
functional government regulatory agency for compliance with the | 436 |
applicable federal law, is exempt from the requirements of this | 437 |
section. | 438 |
(G) If a person discovers circumstances that require | 441 |
disclosure under this section to more than one thousand residents | 442 |
of this state involved in a single occurrence of a breach of the | 443 |
security of the system, the person shall notify, without | 444 |
unreasonable delay, all consumer reporting agencies that compile | 445 |
and maintain files on consumers on a nationwide basis of the | 446 |
timing, distribution, and content of the disclosure given by the | 447 |
person to the residents of this state. In no case shall a person | 448 |
that is required to make a notification required by this division | 449 |
delay any disclosure or notification required by division (B) or | 450 |
(C) of this section in order to make the notification required by | 451 |
this division. | 452 |
Sec. 1349.193. The attorney general shall establish and | 459 |
maintain a searchable database, accessible to the public, of all | 460 |
breaches of the security of their systems reported to the attorney | 461 |
general by state agencies or agencies of political subdivisions | 462 |
pursuant to section 1347.12 of the Revised Code or by persons | 463 |
pursuant to section 1349.19 of the Revised Code. The database | 464 |
shall include for each breach the date of the breach, the number | 465 |
of people affected by the breach, the method used to notify | 466 |
persons affected by the breach, and any other information the | 467 |
attorney general considers necessary for the protection of the | 468 |
public. | 469 |