BREACH NOTIFICATION – Mandated Timeframe
Within 45 days
FINES & PENALTIES – Violations
Max $1,000/day & $10,000 after 90 days
Vendor Contract Required
PRIVACY AND SECURITY LAWS
Laws related to personal information and privacy and security.
Ohio Privacy Law Information
Organizations must create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information.
If any state residents are affected by a breach, the breached Organization must give notice to each affected individual within 45 days of discovery of the breach. If more than 1,000 residents of this state are involved in a single occurrence of a breach, notification is required, without unreasonable delay, to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
Vendors must notify Organizations as soon as possible after the discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification.
Ohio passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days.
The Attorney General may bring an action for violations of the breach notification requirements that brings a penalty of up to $1,000 per day for failed compliance. Further failure to comply will result in fines of $5,000 per day after 60 days and $10,000 per day after 90 days.
Ohio Statutes and Laws
Restricting recording credit card, telephone or social security numbers
Printing credit card number and expiration date on receipt
Private disclosure of security breach of computerized personal information data
Cybersecurity Requirements for Insurance Companies
The information provided is not legal guidance or recommendations and are for informational purposes only.