To amend sections 1345.51 and 1347.01 and to enact sections 1347.12, 1349.19, 1349.191, and 1349.192 of the Revised Code to require a state agency, person, or business to contact individuals residing in Ohio if unencrypted or unredacted personal information about those individuals that is maintained on the computers of the agency, person, or business is obtained by unauthorized persons and to authorize the Attorney General to investigate and enforce compliance with the requirements.

Section 1.  That sections 1345.51 and 1347.01 be amended and sections 1347.12, 1349.19, 1349.191, and 1349.192 of the Revised Code be enacted to read as follows:

Sec. 1345.51.  There is hereby created in the state treasury the consumer protection enforcement fund. The fund shall include civil penalties ordered pursuant to divisions (A) and (D) of section 1345.07 of the Revised Code and paid as provided in division (G) of that section, all civil penalties assessed under division (A) of section 1349.192 of the Revised Code, all costs awarded to the attorney general and all penalties imposed under section 4549.48 of the Revised Code, and all money unclaimed under section 4549.50 of the Revised Code. The money in the consumer protection enforcement fund shall be used for the sole purpose of paying expenses incurred by the consumer protection section of the office of the attorney general.

Sec. 1347.01.  As used in this chapter, except as otherwise provided:

(A) "State agency" means the office of any elected state officer and any agency, board, commission, department, division, or educational institution of the state.

(B) "Local agency" means any municipal corporation, school district, special purpose district, or township of the state or any elected officer or board, bureau, commission, department, division, institution, or instrumentality of a county.

(C) "Special purpose district" means any geographic or political jurisdiction that is created by statute to perform a limited and specific function, and includes, but is not limited to, library districts, conservancy districts, metropolitan housing authorities, park districts, port authorities, regional airport authorities, regional transit authorities, regional water and sewer districts, sanitary districts, soil and water conservation districts, and regional planning agencies.

(D) "Maintains" means state or local agency ownership of, control over, responsibility for, or accountability for systems and includes, but is not limited to, state or local agency depositing of information with a data processing center for storage, processing, or dissemination. An agency "maintains" all systems of records that are required by law to be kept by the agency.

(E) "Personal information" means any information that describes anything about a person, or that indicates actions done by or to a person, or that indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by, a name, identifying number, symbol, or other identifier assigned to a person.

(F) "System" means any collection or group of related records that are kept in an organized manner and that are maintained by a state or local agency, and from which personal information is retrieved by the name of the person or by some identifying number, symbol, or other identifier assigned to the person. "System" includes both records that are manually stored and records that are stored using electronic data processing equipment. "System" does not include collected archival records in the custody of or administered under the authority of the Ohio historical society, published directories, reference materials or newsletters, or routine information that is maintained for the purpose of internal office administration, the use of which would not adversely affect a person.

(G) "Interconnection of systems" means a linking of systems that belong to more than one agency, or to an agency and other organizations, which linking of systems results in a system that permits each agency or organization involved in the linking to have unrestricted access to the systems of the other agencies and organizations.

(H) "Combination of systems" means a unification of systems that belong to more than one agency, or to an agency and another organization, into a single system in which the records that belong to each agency or organization may or may not be obtainable by the others.

Sec. 1347.12.  (A) As used in this section:

(1) "Breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a state agency and that causes or reasonably is believed to cause injury or loss to the person or property of a resident of this state. Good faith acquisition of personal information by an employee or agent of the state agency for the purposes of the state agency is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure. Acquisition of personal information pursuant to a search warrant, subpoena, or other court order is not a breach of the security of the system.

(2) "Consumer reporting agency that compiles and maintains files on consumers on a nationwide basis" means a consumer reporting agency that, for the purpose of furnishing consumer reports to third parties bearing on a consumer's creditworthiness, credit standing, or credit capacity, regularly engages in the practice of assembling or evaluating, and maintaining, each of the following regarding consumers residing nationwide:

(a) Public record information;

(b) Credit account information from persons who furnish that information to the credit reporting agency regularly and in the ordinary course of business.

(3) "Individual" means a natural person.

(4) "Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted, redacted, or altered by any method or technology:

(a) Social security number;

(b) Driver's license number or state identification card number;

(c) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

"Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.

(5) "State agency" has the same meaning as in section 1.60 of the Revised Code.

(B)(1) Any state agency that maintains computerized data that includes personal information shall disclose any breach of the security of the system, following its discovery or notification of the breach of the security of the system, to any resident of this state whose personal information was, or reasonably is believed to have been, acquired by an unauthorized person. The disclosure described in this division may be made pursuant to any provision of a contract entered into by the state agency with any person or another state agency prior to the date the breach of the security of the system occurred if that contract does not conflict with any provision of this section. For purposes of this section, a resident of this state is an individual whose principal mailing address as reflected in the records of the state agency is in this state.

(2) The state agency shall make the disclosure described in division (B)(1) of this section in the most expedient time possible but not later than forty-five days following its discovery or notification of the breach in the security of the system, subject to the legitimate needs of law enforcement activities described in division (D) of this section and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.

(C) Any state agency that on behalf of another state agency maintains computerized data that includes personal information shall notify that other state agency of any breach of the security of the system in an expeditious manner, if the personal information was, or reasonably is believed to have been, acquired by an unauthorized person.

(D) The state agency may delay the disclosure or notification required by division (B) or (C) of this section if a law enforcement agency determines that the disclosure or notification will impede a criminal investigation, in which case, the state agency shall make the disclosure or notification after the law enforcement agency determines that disclosure or notification will not compromise the investigation.

(E) For purposes of this section, a state agency may disclose or make a notification by any of the following methods:

(1) Written notice;

(2) Electronic notice, if the disclosure or notice provided is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. 7001, as amended;

(3) Telephone notice;

(4) Notice consisting of all of the following:

(a) Electronic mail notice when the state agency has electronic mail addresses for the subject persons requiring disclosure or notification;

(b) Conspicuous posting of the disclosure or notice on the state agency's website, if the agency maintains one;

(c) Notification to major statewide media.

(F) Notwithstanding division (E) of this section, a state agency that maintains its own disclosure or notification procedures as part of an information privacy or security policy for the treatment of personal information, which procedures also are consistent with the timing requirements of this section, is in compliance with the disclosure or notification requirements of this section if it notifies subject persons requiring disclosure or notification in accordance with its policies in the event of a breach of the security of the system.

(G) If a state agency discovers circumstances that require disclosure under this section to more than one thousand residents of this state involved in a single occurrence of a breach of the security of the system, the state agency shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the disclosure given by the state agency to the residents of this state.

(H) The attorney general, pursuant to sections 1349.191 and 1349.192 of the Revised Code, may conduct an investigation and bring a civil action upon an alleged failure by a state agency to comply with the requirements of this section.

Sec. 1349.19.  (A) As used in this section:

(1) "Breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business and that causes or reasonably is believed to cause injury or loss to the person or property of a resident of this state. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure. Acquisition of personal information pursuant to a search warrant, subpoena, or other court order is not a breach of the security of the system.

(2) "Business" means both of the following:

(a) A sole proprietorship, partnership, corporation, association, or other group, however organized and whether operating for profit or not for profit, including a financial institution organized, chartered, or holding a license authorizing operation under the laws of this state, any other state, the United States, or any other country, or the parent or subsidiary of a financial institution;

(b) An entity that destroys records.

(3) "Consumer reporting agency that compiles and maintains files on consumers on a nationwide basis" means a consumer reporting agency that, for the purpose of furnishing consumer reports to third parties bearing on a consumer's creditworthiness, credit standing, or credit capacity, regularly engages in the practice of assembling or evaluating, and maintaining, each of the following regarding consumers residing nationwide:

(a) Public record information;

(b) Credit account information from persons who furnish that information to the credit reporting agency regularly and in the ordinary course of business.

(4) "Individual" means a natural person.

(5) "Maintains" means a person's or business's ownership of, control over, responsibility for, or accountability for systems and includes, but is not limited to, a person's or business's depositing of information with a data processing center for storage, processing, or dissemination. A person or business "maintains" all systems of records that are required by law to be kept by the person or business.

(6) "Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted, redacted, or altered by any method or technology:

(a) Social security number;

(b) Driver's license number or state identification card number;

(c) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

"Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.

(7) "Records" means any material, regardless of the physical form, on which information is recorded or preserved by any means, including in written or spoken words, graphically depicted, printed, or electromagnetically transmitted. "Records" does not include publicly available directories containing information an individual voluntarily has consented to have publicly disseminated or listed, such as name, address, or telephone number.

(8) "System" means any collection or group of related records that are kept in an organized manner, that are maintained by a state or business, and from which personal information is retrieved by the name of the person or by some identifying number, symbol, or other identifier assigned to the person. "System" includes both records that are manually stored and records that are stored using electronic data processing equipment. "System" does not include published directories, reference materials or newsletters, or routine information that is maintained for the purpose of internal office administration of the person or business and the use of which would not adversely affect a person.

(B)(1) Any person or business that conducts business in this state and that maintains computerized data that includes personal information shall disclose any breach of the security of the system, following its discovery or notification of the breach of the security of the system, to any resident of this state whose personal information was, or reasonably is believed to have been, acquired by an unauthorized person. The disclosure described in this division may be made pursuant to any provision of a contract entered into by the person or business with another person or business prior to the date the breach of the security of the system occurred if that contract does not conflict with any provision of this section and does not waive any provision of this section. For purposes of this section, a resident of this state is an individual whose principal mailing address as reflected in the records of the person or business is in this state.

(2) The person or business shall make the disclosure described in division (B)(1) of this section in the most expedient time possible but not later than forty-five days following its discovery or notification of the breach in the security of the system, subject to the legitimate needs of law enforcement activities described in division (D) of this section and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.

(C) Any person or business that on behalf of another person or business maintains computerized data that includes personal information shall notify that other person or business of any breach of the security of the system in an expeditious manner, if the personal information was, or reasonably is believed to have been, acquired by an unauthorized person.

(D) The person or business may delay the disclosure or notification required by division (B) or (C) of this section if a law enforcement agency determines that the disclosure or notification will impede a criminal investigation, in which case, the person or business shall make the disclosure or notification after the law enforcement agency determines that disclosure or notification will not compromise the investigation.

(E) For purposes of this section, a person or business may disclose or make a notification by any of the following methods:

(1) Written notice;

(2) Electronic notice, if the disclosure or notice provided is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. 7001, as amended;

(3) Telephone notice;

(4) Notice consisting of all of the following:

(a) Electronic mail notice when the person or business has electronic mail addresses for the subject persons requiring disclosure or notification;

(b) Conspicuous posting of the disclosure or notice on the person's or business' website, if the person or business maintains one;

(c) Notification to major statewide media.

(F)(1) Notwithstanding division (E) of this section, a person or business that maintains its own disclosure or notification procedures as part of an information privacy or security policy for the treatment of personal information, which procedures also are consistent with the timing requirements of this section, is in compliance with the disclosure or notification requirements of this section if the person or business notifies subject persons requiring disclosure or notification in accordance with its policies in the event of a breach of the security of the system.

(2) A financial institution, trust company, or credit union or any affiliate of a financial institution, trust company, or credit union that is required by federal law, including, but not limited to, any federal statute, regulation, regulatory guidance, or other regulatory action, to notify its customers of an information security breach with respect to information about those customers and that is subject to examination by its functional government regulatory agency for compliance with the applicable federal law, is exempt from the requirements of this section.

(3) This section does not apply to any person or entity that is regulated by sections 1171 to 1179 of the "Social Security Act," chapter 531, 49 Stat. 620 (1935), 42 U.S.C. 1320d to 1320d-8, and any corresponding regulations in 45 C.F.R. Parts 160 and 164.

(G) If a person or business discovers circumstances that require disclosure under this section to more than one thousand residents of this state involved in a single occurrence of a breach of the security of the system, the person or business shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the disclosure given by the person or business to the residents of this state.

(H) Any waiver of this section is contrary to public policy and is void and unenforceable.

(I) The attorney general may conduct pursuant to sections 1349.191 and 1349.192 of the Revised Code an investigation and bring a civil action upon an alleged failure by a person or business to comply with the requirements of this section.

Sec. 1349.191.  (A) As used in this section and section 1349.192 of the Revised Code:

(1) "Business" has the same meaning as in section 1349.19 of the Revised Code.

(2) "State agency" has the same meaning as in section 1.60 of the Revised Code.

(B) The attorney general may conduct an investigation if the attorney general, based on complaints or the attorney general's own inquiries, has reason to believe that a state agency has failed or is failing to comply with section 1347.12 of the Revised Code or that a person or business has failed or is failing to comply with section 1349.19 of the Revised Code.

(C) In any investigation conducted pursuant to this section, the attorney general may administer oaths, subpoena witnesses, adduce evidence, and subpoena the production of any book, document, record, or other relevant matter.

(D)(1) If the attorney general under division (C) of this section subpoenas the production of any relevant matter that is located outside this state, the attorney general may designate a representative, including an official of the state in which that relevant matter is located, to inspect the relevant matter on the attorney general's behalf. The attorney general may carry out similar requests received from officials of other states.

(2) Any person who is subpoenaed to produce relevant matter pursuant to division (C) of this section shall make that relevant matter available at a convenient location within this state or the state of the representative designated under division (D)(1) of this section.

(E) Any person who is subpoenaed as a witness or to produce relevant matter pursuant to division (C) of this section may file in the court of common pleas of Franklin county, the county in this state in which the person resides, or the county in this state in which the person's principal place of business is located a petition to extend for good cause shown the date on which the subpoena is to be returned or to modify or quash for good cause shown that subpoena. The person may file the petition at any time prior to the date specified for the return of the subpoena or within twenty days after the service of the subpoena, whichever is earlier.

(F) Any person who is subpoenaed as a witness or to produce relevant matter pursuant to division (C) of this section shall comply with the terms of the subpoena unless the court orders otherwise prior to the date specified for the return of the subpoena or, if applicable, that date as extended. If a person fails without lawful excuse to obey a subpoena, the attorney general may apply to the court of common pleas for an order that does one or more of the following:

(1) Compels the requested discovery;

(2) Adjudges the person in contempt of court;

(3) Grants injunctive relief to restrain the person from failing to comply with section 1347.12 or 1349.19 of the Revised Code, whichever is applicable;

(4) Grants injunctive relief to preserve or restore the status quo;

(5) Grants other relief that may be required until the person obeys the subpoena.

(G) The court shall impose a civil penalty on any person who violates an order of a court issued under division (F) of this section in the same manner as the imposition of a civil penalty under section 1349.192 of the Revised Code for a failure to comply with section 1347.12 or 1349.19 of the Revised Code, whichever is applicable.

Sec. 1349.192.  (A) The attorney general may bring a civil action in a court of common pleas for appropriate relief, including a temporary restraining order, preliminary or permanent injunction, and civil penalties, if it appears that a state agency has failed or is failing to comply with section 1347.12 of the Revised Code or that a person or business has failed or is failing to comply with section 1349.19 of the Revised Code. Upon its finding that a state agency has failed to comply with section 1347.12 of the Revised Code, the court shall impose a civil penalty of not more than one thousand dollars per day for each day the state agency fails to comply with that section. Upon its finding that a person or business has failed to comply with section 1349.19 of the Revised Code, the court shall impose a civil penalty of not more than one thousand dollars for each day the person or business fails to comply with that section. Any civil penalty that is assessed under this division shall be deposited into the consumer protection enforcement fund created by section 1345.51 of the Revised Code.

(B) Any state agency that is found by the court to have failed to comply with section 1347.12 of the Revised Code or any person or business that is found by the court to have failed to comply with section 1349.19 of the Revised Code shall be liable to the attorney general for the attorney general's costs in conducting an investigation under section 1349.191 of the Revised Code and bringing an action under this section.

(C) The rights and remedies that are provided under this section are in addition to any other rights or remedies that are provided by law.

Section 2. That existing sections 1345.51 and 1347.01 of the Revised Code are hereby repealed.

Section 3. This act deals with subject matter that is of statewide concern. It is the intent of the General Assembly that this act supersede and preempt all rules, regulations, resolutions, codes, and ordinances of all counties, municipal corporations, townships, and agencies of counties, municipal corporations, and townships that pertain to matters that are expressly set forth or regulated under this act.