H. B. No. 565 As Introduced

As Introduced

129th General Assembly

Regular Session

2011-2012

H. B. No. 565

Representatives Carney, Winburn

A BILL

To amend sections 1347.12 and 1349.19 and to enact

section 1349.193 of the Revised Code to require

governmental agencies and persons that own or

license computerized data containing personal

information to report security breaches to the

Attorney General and to require the Attorney

General to establish a searchable database of the

reports that is accessible by the public.

BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF OHIO:

Section 1. That sections 1347.12 and 1349.19 be amended and	9
section 1349.193 of the Revised Code be enacted to read as	10
follows:	11

Sec. 1347.12. (A) As used in this section:

(1) "Agency of a political subdivision" means each organized	13
body, office, or agency established by a political subdivision for	14
the exercise of any function of the political subdivision, except	15
that "agency of a political subdivision" does not include an	16
agency that is a covered entity as defined in 45 C.F.R. 160.103,	17
as amended.	18

(2)(a) "Breach of the security of the system" means	19
unauthorized access to and acquisition of computerized data that	20
compromises the security or confidentiality of personal	21
information owned or licensed by a state agency or an agency of a	22
political subdivision and that causes, reasonably is believed to	23
have caused, or reasonably is believed will cause a material risk	24
of identity theft or other fraud to the person or property of a	25
resident of this state.	26

(b) For purposes of division (A)(2)(a) of this section:

(i) Good faith acquisition of personal information by an	28
employee or agent of the state agency or agency of the political	29
subdivision for the purposes of the agency is not a breach of the	30
security of the system, provided that the personal information is	31
not used for an unlawful purpose or subject to further	32
unauthorized disclosure.	33

(ii) Acquisition of personal information pursuant to a search	34
warrant, subpoena, or other court order, or pursuant to a	35
subpoena, order, or duty of a regulatory state agency, is not a	36
breach of the security of the system.	37

(3) "Consumer reporting agency that compiles and maintains	38
files on consumers on a nationwide basis" means a consumer	39
reporting agency that regularly engages in the practice of	40
assembling or evaluating, and maintaining, for the purpose of	41
furnishing consumer reports to third parties bearing on a	42
consumer's creditworthiness, credit standing, or credit capacity,	43
each of the following regarding consumers residing nationwide:	44

(a) Public record information;

(b) Credit account information from persons who furnish that	46
information regularly and in the ordinary course of business.	47

(4) "Encryption" means the use of an algorithmic process to	48
transform data into a form in which there is a low probability of	49
assigning meaning without use of a confidential process or key.	50

(5) "Individual" means a natural person.

(6)(a) "Personal information" means, notwithstanding section	52
1347.01 of the Revised Code, an individual's name, consisting of	53
the individual's first name or first initial and last name, in	54
combination with and linked to any one or more of the following	55
data elements, when the data elements are not encrypted, redacted,	56
or altered by any method or technology in such a manner that the	57
data elements are unreadable:	58

(i) Social security number;

(ii) Driver's license number or state identification card	60
number;	61

(iii) Account number or credit or debit card number, in	62
combination with and linked to any required security code, access	63
code, or password that would permit access to an individual's	64
financial account.	65

(b) "Personal information" does not include publicly	66
available information that is lawfully made available to the	67
general public from federal, state, or local government records or	68
any of the following media that are widely distributed:	69

(i) Any news, editorial, or advertising statement published	70
in any bona fide newspaper, journal, or magazine, or broadcast	71
over radio or television;	72

(ii) Any gathering or furnishing of information or news by	73
any bona fide reporter, correspondent, or news bureau to news	74
media described in division (A)(6)(b)(i) of this section;	75

(iii) Any publication designed for and distributed to members	76
of any bona fide association or charitable or fraternal nonprofit	77
corporation;	78

(iv) Any type of media similar in nature to any item, entity,	79
or activity identified in division (A)(6)(b)(i), (ii), or (iii) of	80
this section.	81

(7) "Political subdivision" has the same meaning as in	82
section 2744.01 of the Revised Code.	83

(8) "Record" means any information that is stored in an	84
electronic medium and is retrievable in perceivable form. "Record"	85
does not include any publicly available directory containing	86
information an individual voluntarily has consented to have	87
publicly disseminated or listed, such as name, address, or	88
telephone number.	89

(9) "Redacted" means altered or truncated so that no more	90
than the last four digits of a social security number, driver's	91
license number, state identification card number, account number,	92
or credit or debit card number is accessible as part of the data.	93

(10) "State agency" has the same meaning as in section 1.60	94
of the Revised Code, except that "state agency" does not include	95
an agency that is a covered entity as defined in 45 C.F.R.	96
160.103, as amended.	97

(11) "System" means, notwithstanding section 1347.01 of the	98
Revised Code, any collection or group of related records that are	99
kept in an organized manner, that are maintained by a state agency	100
or an agency of a political subdivision, and from which personal	101
information is retrieved by the name of the individual or by some	102
identifying number, symbol, or other identifier assigned to the	103
individual. "System" does not include any collected archival	104
records in the custody of or administered under the authority of	105
the Ohio historical society, any published directory, any	106
reference material or newsletter, or any routine information that	107
is maintained for the purpose of internal office administration of	108
the agency, if the use of the directory, material, newsletter, or	109
information would not adversely affect an individual and if there	110
has been no unauthorized external breach of the directory,	111
material, newsletter, or information.	112

(B)(1) Any state agency or agency of a political subdivision	113
that owns or licenses computerized data that includes personal	114
information shall disclose any breach of the security of the	115
system, following its discovery or notification of the breach of	116
the security of the system, to any resident of this state whose	117
personal information was, or reasonably is believed to have been,	118
accessed and acquired by an unauthorized person if the access and	119
acquisition by the unauthorized person causes or reasonably is	120
believed will cause a material risk of identity theft or other	121
fraud to the resident. The disclosure described in this division	122
may be made pursuant to any provision of a contract entered into	123
by the state agency or agency of a political subdivision with any	124
person or another state agency or agency of a political	125
subdivision prior to the date the breach of the security of the	126
system occurred if that contract does not conflict with any	127
provision of this section. For purposes of this section, a	128
resident of this state is an individual whose principal mailing	129
address as reflected in the records of the state agency or agency	130
of a political subdivision is in this state.	131

(2) The state agency or agency of a political subdivision	132
shall make the disclosure described in division (B)(1) of this	133
section in the most expedient time possible but not later than	134
forty-five days following its discovery or notification of the	135
breach in the security of the system, subject to the legitimate	136
needs of law enforcement activities described in division (D) of	137
this section and consistent with any measures necessary to	138
determine the scope of the breach, including which residents'	139
personal information was accessed and acquired, and to restore the	140
reasonable integrity of the data system.	141

(3) Any state agency or agency of a political subdivision	142
that is required to disclose a breach of the security of the	143
system under division (B) of this section shall, within the time	144
allowed for disclosure of the breach, report the breach to the	145
attorney general in writing or by electronic mail. The report	146
shall include the date of the breach, the number of people	147
affected by the breach, the method used to notify persons affected	148
by the breach, and any other information the attorney general may	149
require.	150

(C) Any state agency or agency of a political subdivision	151
that, on behalf of or at the direction of another state agency or	152
agency of a political subdivision, is the custodian of or stores	153
computerized data that includes personal information shall notify	154
that other state agency or agency of a political subdivision of	155
any breach of the security of the system in an expeditious manner,	156
if the personal information was, or reasonably is believed to have	157
been, accessed and acquired by an unauthorized person and if the	158
access and acquisition by the unauthorized person causes or	159
reasonably is believed will cause a material risk of identity	160
theft or other fraud to a resident of this state.	161

(D) The state agency or agency of a political subdivision may	162
delay the disclosure or notification required by division (B),	163
(C), or (F) of this section if a law enforcement agency determines	164
that the disclosure or notification will impede a criminal	165
investigation or jeopardize homeland or national security, in	166
which case, the state agency or agency of a political subdivision	167
shall make the disclosure or notification after the law	168
enforcement agency determines that disclosure or notification will	169
not compromise the investigation or jeopardize homeland or	170
national security.	171

(E) For purposes of this section, a state agency or agency of	172
a political subdivision may disclose or make a notification by any	173
of the following methods:	174

(1) Written notice;

175

(2) Electronic notice, if the state agency's or agency of a	176
political subdivision's primary method of communication with the	177
resident to whom the disclosure must be made is by electronic	178
means;	179

(3) Telephone notice;

180

(4) Substitute notice in accordance with this division, if	181
the state agency or agency of a political subdivision required to	182
disclose demonstrates that the agency does not have sufficient	183
contact information to provide notice in a manner described in	184
division (E)(1), (2), or (3) of this section, or that the cost of	185
providing disclosure or notice to residents to whom disclosure or	186
notification is required would exceed two hundred fifty thousand	187
dollars, or that the affected class of subject residents to whom	188
disclosure or notification is required exceeds five hundred	189
thousand persons. Substitute notice under this division shall	190
consist of all of the following:	191

(a) Electronic mail notice if the state agency or agency of a	192
political subdivision has an electronic mail address for the	193
resident to whom the disclosure must be made;	194

(b) Conspicuous posting of the disclosure or notice on the	195
state agency's or agency of a political subdivision's web site, if	196
the agency maintains one;	197

(c) Notification to major media outlets, to the extent that	198
the cumulative total of the readership, viewing audience, or	199
listening audience of all of the outlets so notified equals or	200
exceeds seventy-five per cent of the population of this state.	201

(5) Substitute notice in accordance with this division, if	202
the state agency or agency of a political subdivision required to	203
disclose demonstrates that the agency has ten employees or fewer	204
and that the cost of providing the disclosures or notices to	205
residents to whom disclosure or notification is required will	206
exceed ten thousand dollars. Substitute notice under this division	207
shall consist of all of the following:	208

(a) Notification by a paid advertisement in a local newspaper	209
that is distributed in the geographic area in which the state	210
agency or agency of a political subdivision is located, which	211
advertisement shall be of sufficient size that it covers at least	212
one-quarter of a page in the newspaper and shall be published in	213
the newspaper at least once a week for three consecutive weeks;	214

(b) Conspicuous posting of the disclosure or notice on the	215
state agency's or agency of a political subdivision's web site, if	216
the agency maintains one;	217

(c) Notification to major media outlets in the geographic	218
area in which the state agency or agency of a political	219
subdivision is located.	220

(F) If a state agency or agency of a political subdivision	221
discovers circumstances that require disclosure under this section	222
to more than one thousand residents of this state involved in a	223
single occurrence of a breach of the security of the system, the	224
state agency or agency of a political subdivision shall notify,	225
without unreasonable delay, all consumer reporting agencies that	226
compile and maintain files on consumers on a nationwide basis of	227
the timing, distribution, and content of the disclosure given by	228
the state agency or agency of a political subdivision to the	229
residents of this state. In no case shall a state agency or agency	230
of a political subdivision that is required to make a notification	231
required by this division delay any disclosure or notification	232
required by division (B) or (C) of this section in order to make	233
the notification required by this division.	234

(G) The attorney general, pursuant to sections 1349.191 and	235
1349.192 of the Revised Code, may conduct an investigation and	236
bring a civil action upon an alleged failure by a state agency or	237
agency of a political subdivision to comply with the requirements	238
of this section.	239

Sec. 1349.19. (A) As used in this section:

240

(1)(a) "Breach of the security of the system" means	241
unauthorized access to and acquisition of computerized data that	242
compromises the security or confidentiality of personal	243
information owned or licensed by a person and that causes,	244
reasonably is believed to have caused, or reasonably is believed	245
will cause a material risk of identity theft or other fraud to the	246
person or property of a resident of this state.	247

(b) For purposes of division (A)(1)(a) of this section:

248

(i) Good faith acquisition of personal information by an	249
employee or agent of the person for the purposes of the person is	250
not a breach of the security of the system, provided that the	251
personal information is not used for an unlawful purpose or	252
subject to further unauthorized disclosure.	253

(ii) Acquisition of personal information pursuant to a search	254
warrant, subpoena, or other court order, or pursuant to a	255
subpoena, order, or duty of a regulatory state agency, is not a	256
breach of the security of the system.	257

(2) "Business entity" means a sole proprietorship,	258
partnership, corporation, association, or other group, however	259
organized and whether operating for profit or not for profit,	260
including a financial institution organized, chartered, or holding	261
a license authorizing operation under the laws of this state, any	262
other state, the United States, or any other country, or the	263
parent or subsidiary of a financial institution.	264

(3) "Consumer reporting agency that compiles and maintains	265
files on consumers on a nationwide basis" means a consumer	266
reporting agency that regularly engages in the practice of	267
assembling or evaluating, and maintaining, for the purpose of	268
furnishing consumer reports to third parties bearing on a	269
consumer's creditworthiness, credit standing, or credit capacity,	270
each of the following regarding consumers residing nationwide:	271

(a) Public record information;

272

(b) Credit account information from persons who furnish that	273
information regularly and in the ordinary course of business.	274

(4) "Encryption" means the use of an algorithmic process to	275
transform data into a form in which there is a low probability of	276
assigning meaning without use of a confidential process or key.	277

(5) "Individual" means a natural person.

278

(6) "Person" has the same meaning as in section 1.59 of the	279
Revised Code, except that "person" includes a business entity only	280
if the business entity conducts business in this state.	281

(7)(a) "Personal information" means an individual's name,	282
consisting of the individual's first name or first initial and	283
last name, in combination with and linked to any one or more of	284
the following data elements, when the data elements are not	285
encrypted, redacted, or altered by any method or technology in	286
such a manner that the data elements are unreadable:	287

(i) Social security number;

288

(ii) Driver's license number or state identification card	289
number;	290

(iii) Account number or credit or debit card number, in	291
combination with and linked to any required security code, access	292
code, or password that would permit access to an individual's	293
financial account.	294

(b) "Personal information" does not include publicly	295
available information that is lawfully made available to the	296
general public from federal, state, or local government records or	297
any of the following media that are widely distributed:	298

(i) Any news, editorial, or advertising statement published	299
in any bona fide newspaper, journal, or magazine, or broadcast	300
over radio or television;	301

(ii) Any gathering or furnishing of information or news by	302
any bona fide reporter, correspondent, or news bureau to news	303
media described in division (A)(7)(b)(i) of this section;	304

(iii) Any publication designed for and distributed to members	305
of any bona fide association or charitable or fraternal nonprofit	306
corporation;	307

(iv) Any type of media similar in nature to any item, entity,	308
or activity identified in division (A)(7)(b)(i), (ii), or (iii) of	309
this section.	310

(8) "Record" means any information that is stored in an	311
electronic medium and is retrievable in perceivable form. "Record"	312
does not include any publicly available directory containing	313
information an individual voluntarily has consented to have	314
publicly disseminated or listed, such as name, address, or	315
telephone number.	316

(9) "Redacted" means altered or truncated so that no more	317
than the last four digits of a social security number, driver's	318
license number, state identification card number, account number,	319
or credit or debit card number is accessible as part of the data.	320

(10) "System" means any collection or group of related	321
records that are kept in an organized manner, that are maintained	322
by a person, and from which personal information is retrieved by	323
the name of the individual or by some identifying number, symbol,	324
or other identifier assigned to the individual. "System" does not	325
include any published directory, any reference material or	326
newsletter, or any routine information that is maintained for the	327
purpose of internal office administration of the person, if the	328
use of the directory, material, newsletter, or information would	329
not adversely affect an individual, and there has been no	330
unauthorized external breach of the directory, material,	331
newsletter, or information.	332

(B)(1) Any person that owns or licenses computerized data	333
that includes personal information shall disclose any breach of	334
the security of the system, following its discovery or	335
notification of the breach of the security of the system, to any	336
resident of this state whose personal information was, or	337
reasonably is believed to have been, accessed and acquired by an	338
unauthorized person if the access and acquisition by the	339
unauthorized person causes or reasonably is believed will cause a	340
material risk of identity theft or other fraud to the resident.	341
The disclosure described in this division may be made pursuant to	342
any provision of a contract entered into by the person with	343
another person prior to the date the breach of the security of the	344
system occurred if that contract does not conflict with any	345
provision of this section and does not waive any provision of this	346
section. For purposes of this section, a resident of this state is	347
an individual whose principal mailing address as reflected in the	348
records of the person is in this state.	349

(2) The person shall make the disclosure described in	350
division (B)(1) of this section in the most expedient time	351
possible but not later than forty-five days following its	352
discovery or notification of the breach in the security of the	353
system, subject to the legitimate needs of law enforcement	354
activities described in division (D) of this section and	355
consistent with any measures necessary to determine the scope of	356
the breach, including which residents' personal information was	357
accessed and acquired, and to restore the reasonable integrity of	358
the data system.	359

(3) Any person that is required to disclose a breach of the	360
security of the system under division (B) of this section shall,	361
within the time allowed for disclosure of the breach, report the	362
breach to the attorney general in writing or by electronic mail.	363
The report shall include the date of the breach, the number of	364
people affected by the breach, the method used to notify persons	365
affected by the breach, and any other information the attorney	366
general may require.	367

(C) Any person that, on behalf of or at the direction of	368
another person or on behalf of or at the direction of any	369
governmental entity, is the custodian of or stores computerized	370
data that includes personal information shall notify that other	371
person or governmental entity of any breach of the security of the	372
system in an expeditious manner, if the personal information was,	373
or reasonably is believed to have been, accessed and acquired by	374
an unauthorized person and if the access and acquisition by the	375
unauthorized person causes or reasonably is believed will cause a	376
material risk of identity theft or other fraud to a resident of	377
this state.	378

(D) The person may delay the disclosure or notification	379
required by division (B), (C), or (G) of this section if a law	380
enforcement agency determines that the disclosure or notification	381
will impede a criminal investigation or jeopardize homeland or	382
national security, in which case, the person shall make the	383
disclosure or notification after the law enforcement agency	384
determines that disclosure or notification will not compromise the	385
investigation or jeopardize homeland or national security.	386

(E) For purposes of this section, a person may disclose or	387
make a notification by any of the following methods:	388

(1) Written notice;

389

(2) Electronic notice, if the person's primary method of	390
communication with the resident to whom the disclosure must be	391
made is by electronic means;	392

(3) Telephone notice;

393

(4) Substitute notice in accordance with this division, if	394
the person required to disclose demonstrates that the person does	395
not have sufficient contact information to provide notice in a	396
manner described in division (E)(1), (2), or (3) of this section,	397
or that the cost of providing disclosure or notice to residents to	398
whom disclosure or notification is required would exceed two	399
hundred fifty thousand dollars, or that the affected class of	400
subject residents to whom disclosure or notification is required	401
exceeds five hundred thousand persons. Substitute notice under	402
this division shall consist of all of the following:	403

(a) Electronic mail notice if the person has an electronic	404
mail address for the resident to whom the disclosure must be made;	405

(b) Conspicuous posting of the disclosure or notice on the	406
person's web site, if the person maintains one;	407

(c) Notification to major media outlets, to the extent that	408
the cumulative total of the readership, viewing audience, or	409
listening audience of all of the outlets so notified equals or	410
exceeds seventy-five per cent of the population of this state.	411

(5) Substitute notice in accordance with this division, if	412
the person required to disclose demonstrates that the person is a	413
business entity with ten employees or fewer and that the cost of	414
providing the disclosures or notices to residents to whom	415
disclosure or notification is required will exceed ten thousand	416
dollars. Substitute notice under this division shall consist of	417
all of the following:	418

(a) Notification by a paid advertisement in a local newspaper	419
that is distributed in the geographic area in which the business	420
entity is located, which advertisement shall be of sufficient size	421
that it covers at least one-quarter of a page in the newspaper and	422
shall be published in the newspaper at least once a week for three	423
consecutive weeks;	424

(b) Conspicuous posting of the disclosure or notice on the	425
business entity's web site, if the entity maintains one;	426

(c) Notification to major media outlets in the geographic	427
area in which the business entity is located.	428

(F)(1) A financial institution, trust company, or credit	429
union or any affiliate of a financial institution, trust company,	430
or credit union that is required by federal law, including, but	431
not limited to, any federal statute, regulation, regulatory	432
guidance, or other regulatory action, to notify its customers of	433
an information security breach with respect to information about	434
those customers and that is subject to examination by its	435
functional government regulatory agency for compliance with the	436
applicable federal law, is exempt from the requirements of this	437
section.	438

(2) This section does not apply to any person or entity that	439
is a covered entity as defined in 45 C.F.R. 160.103, as amended.	440

(G) If a person discovers circumstances that require	441
disclosure under this section to more than one thousand residents	442
of this state involved in a single occurrence of a breach of the	443
security of the system, the person shall notify, without	444
unreasonable delay, all consumer reporting agencies that compile	445
and maintain files on consumers on a nationwide basis of the	446
timing, distribution, and content of the disclosure given by the	447
person to the residents of this state. In no case shall a person	448
that is required to make a notification required by this division	449
delay any disclosure or notification required by division (B) or	450
(C) of this section in order to make the notification required by	451
this division.	452

(H) Any waiver of this section is contrary to public policy	453
and is void and unenforceable.	454

(I) The attorney general may conduct pursuant to sections	455
1349.191 and 1349.192 of the Revised Code an investigation and	456
bring a civil action upon an alleged failure by a person to comply	457
with the requirements of this section.	458

Sec. 1349.193. The attorney general shall establish and	459
maintain a searchable database, accessible to the public, of all	460
breaches of the security of their systems reported to the attorney	461
general by state agencies or agencies of political subdivisions	462
pursuant to section 1347.12 of the Revised Code or by persons	463
pursuant to section 1349.19 of the Revised Code. The database	464
shall include for each breach the date of the breach, the number	465
of people affected by the breach, the method used to notify	466
persons affected by the breach, and any other information the	467
attorney general considers necessary for the protection of the	468
public.	469

Section 2. That existing sections 1347.12 and 1349.19 of the	470
Revised Code are hereby repealed.	471