Ohio Code § 1349.19 et seq
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
“Breach of the security of the system” means unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state."
When is notice required?
Notice is required for all affected residents "...in the most expedient time possible but not later than forty-five days following its discovery or notification of the breach in the security of the system, subject to the legitimate needs of law enforcement...and consistent with any measures necessary to determine the scope of the breach, including which residents’ personal information was accessed and acquired, and to restore the reasonable integrity of the data system." Notice may be written, electronic, telephonic, or via "substitute notice" procedures, depending on the circumstances. If over 1,000 residents are affected then credit reporting agencies must be notified as well.
What are the penalties for non-compliance?
Violations have their own section of the law, § 1349.192, which says that the Attorney General has exclusive rights of action under the statute and he may seek and injunction and statutory damages with increasing penalties based on the length it takes for the company to comply. All civil penalties collected are deposited into the consumer protection enforcement fund of Ohio.