Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.

OHIO DATA PRIVACY REGULATIONS

Did You Know?

 
  • 45 day deadline for notifications
  • Limited methods of notification delivery
  • Data owners are responsible for breach reporting and notifications
  • Vendors must report to OH data owners and cooperate
  • Reporting to Consumer Reporting Agencies may be required with specific information
  • Ohio's state attorney general conducts investigation to ensure compliance 

Who Me?

 

Ohio breach and notification laws may apply if you are a person that:

  • Owns or licenses computerized data that includes PII about a resident of Ohio;
  • On behalf of or direction of another person or governmental entity, stores or is the custodian of computerized data that includes PII.

 There are exemptions.

Other state or federal laws, industry regulations, and/or out-of-country laws may apply.

What is PII?

 

PII relevant to a breach in Ohio include a person's name plus one of the following:

  • Social Security Number;
  • Driver license or identification number;
  • Account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's account.

LAWS

APPLICABLE LAW

A few applicable statutes include, but are not limited to:

BUSINESSES:  Title [13] XIII Commercial Transactions - Ohio Uniform Commercial Code /Chapter 1349: Consumer Protection:  1349.19 Private disclosure of security breach of computerized personal information data, 1349.191, 1349.192

STATE AGENCIES:  Title [13] XIII Commercial Transactions - Ohio Uniform Commercial Code / Chapter 1347: Personal Information Systems:  1347.01, 1347.12 Agency disclosure of security breach of computerized personal information data, 1347.15

RELATED LAWS

Related laws in regard to Record retention schedules include, but are not limited to:

  • Central clinical record - Ohio Admin. Code 3701-19-23
  • Confidentiality - Ohio Rev. Code Ann. § 5123.31
  • Confidentiality of patient records - Ohio Admin. Code 4729-5-29
  • Duty of covered entities - Ohio Rev. Code Ann. § 3798.03
  • General medical records requirements - Ohio Admin. Code 3701-83-11

PENALTIES

COMPLIANCE PENALTIES

The attorney general can bring civil action including temporary restraining order, preliminary or permanent injunction, and civil penalties as follows:

  • The combination of personal information breached;
  • For each day the business fails to comply: up to $1,000 per day;
  • For each day the business fails to comply over 60 days: $5,000 per day;
  • For each day the business fails to comply over 90 days: $10,000 per day.

BREACH REPORTING

MULTIPLE FACTORS TO CONSIDER

When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached
  • If the data was computerized
  • If the data was encrypted or redacted
  • If a security key or password was accessed
  • If it was acquired by an unauthorized person
  • If there is a material risk of identity theft or other fraud

TIME LIMITS

In Ohio, notification may be delayed if law enforcement advises the person it will interfere with an investigation, otherwise the notification must be made in the most expedient time possible and no later than 45 days.

CONSUMER NOTIFICATION

Requires detailed information and potential provision of services

Disclosure may be made by written notice, telephone, or electronically (with stipulations).

A substitute notice, with specific requirements, may be sent if the cost of the notice exceeds $250,000 or persons notified exceeds 500,000 or they do not have sufficient contact information.

An alternate substitute notice, with specific requirements, may be sent if the person demonstrates they have ten employees or fewer and the cost will exceed $10,000.

Contact the Privacy Experts at CSR