Ohio Privacy Laws

Breach Notification

Mandated Timeframe

Within 45 days

Fines & Penalties

Violations

Max $1,000/day & $10,000 after 90 days

REGULATION LEVELS

Breach Reporting Consumer Notifications
Vendor Management Vendor Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Within 45 days

Fines & Penalties

Violations

Max $1,000/day & $10,000 after 90 days

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Within 45 days

Fines & Penalties

Violations

Max $1,000/day & $10,000 after 90 days

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Quick Facts

Ohio Privacy Law Information

  • Privacy Program

    Organizations must create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information.

  • Breach Reporting

    If any state residents are affected by a breach, the breached Organization must give notice to each affected individual within 45 days of discovery of the breach. If more than 1,000 residents of this state are involved in a single occurrence of a breach, notification is required, without unreasonable delay, to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.

  • Consumer Notification

    If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

  • Vendor/Third Parties

    Vendors must notify Organizations as soon as possible after the discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification.

  • Industry Specific Laws

    Ohio passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days.

  • Fines & Penalties

    The Attorney General may bring an action for violations of the breach notification requirements that brings a penalty of up to $1,000 per day for failed compliance. Further failure to comply will result in fines of $5,000 per day after 60 days and $10,000 per day after 90 days.

Ohio

Statutes and Laws

OHIO REV. CODE § 1349.17

Restricting recording credit card, telephone or social security numbers

OHIO REV. CODE § 1349.18

Printing credit card number and expiration date on receipt

OHIO REV. CODE § 1349.19

Private disclosure of security breach of computerized personal information data

OHIO REV. CODE §§ 3965.01 – 3965.11

Cybersecurity Requirements for Insurance Companies