Ohio Data Breach Notification Law

Notification deadline: Most expedient time possible, not to exceed 45 days

Enforcement: Ohio Attorney General

Overview

Ohio requires breach notification "in the most expedient time possible" and offers businesses an affirmative defense against data breach lawsuits if they implement qualifying cybersecurity programs - making Ohio unique in incentivizing proactive security.

Who Must Be Notified

• • Affected Ohio residents
• • Ohio Attorney General (recommended but not required)

Covered Data Types

Social Security number, Driver's license number, State ID number, Financial account number with access code, Credit/debit card number

Notification Requirements

• • Written, telephonic, or electronic notice
• • Most expedient time possible, not exceeding 45 days
• • Include description of breach and information types
• • Contact information for business
• • Toll-free numbers for credit bureaus
• • Substitute notice allowed if cost exceeds $250,000 or 500,000+ affected

Exemptions

• • Encrypted data (if key not compromised)
• • Good faith acquisition by employee
• • Entities in compliance with GLBA, HIPAA

Penalties

Violations treated as unfair or deceptive practices. AG can seek injunctions and penalties. HOWEVER: businesses with qualifying cybersecurity programs have affirmative defense against breach lawsuits.