Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 45 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- up to $1,000 per day ($10,000 after 90 days)

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • The Attorney General may investigate and bring a civil action upon an alleged failure by a person to comply with laws regarding a security breach.
  • If more than 1,000 residents of this state are involved in a single occurrence of a breach, notification is required, without unreasonable delay, to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • Owners of personal information or restricted information must create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information.
  • Violations relating to §1349.17 (Restricting recording credit card, telephone or social security numbers) is considered and may result in penalties attributed to a minor misdemeanor.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using those state’s rules.
  • Ohio passed the sector-specific Cybersecurity Requirements for Insurance Companies law, which includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security. Licensees have until March 20, 2020 to comply with the written information security program requirements, and until March 20, 2021 to comply with the vendor management requirements.
Statutes and Laws
  • Ohio Rev. Code §§ 1354.01-1354.05 Data Protection Act

    Ohio Rev. Code § 1349.17 Restricting recording credit card, telephone or social security numbers

    Ohio Rev. Code § 1349.18 Printing credit card number and expiration date on receipt

    Ohio Rev. Code § 1349.19 Private disclosure of security breach of computerized personal information data

    Ohio Rev. Code § 3965.01-3965.11 Cybersecurity Requirements for Insurance Companies

BAck to map