Compliance - Ohio Security Breach Law
Summary:
The Notification Law requires each Covered Entity that owns or licenses computerized data to disclose certain breaches of the security of its system. For purposes of Ohio law, a "breach of the security of a system" requires the following elements:
- (i) an unauthorized person accesses and acquires computerized data of a Covered Entity (i.e., information stored in an electronic medium);
- (ii) such access and acquisition compromises the security and confidentiality of the personal information owned or licensed by a Covered Entity; and
- (iii) the access and acquisition of such personal information causes or is reasonably believed to have caused (or will cause) a material risk of identity theft or other fraud to an Ohio resident.
If such a security breach occurs, the Covered Entity must notify each Ohio resident whose personal information was, or is reasonably believed to have been, accessed and acquired. Additionally, the Notification Law requires companies that maintain computerized data on behalf of other persons to expeditiously notify the owner of the computerized data of any security breach of a system containing the owner’s data.
Under the Notification Law, "personal information" means an individual’s first name or first initial and last name, in combination with one of the following data elements:
- a Social Security number,
- a driver’s license number or state identification card number, or
- an account number or credit/debit card number in combination with any required access code to that account or card.
The Notification Law is not triggered if these data elements are encrypted, redacted to four digits, or otherwise made to be unreadable. Further, personal information does not include information that is lawfully made available to the general public from government records or certain widely distributed media reports (e.g., published in bona fide newspaper, journal, or magazine or broadcast over radio or television).