Ohio Revised Code §§ 1349.19 to 134.192 (the “Act”). 

The Act went into effect on February 17, 2006, as amended on March 30, 2007, and governs the obligations of a person when there is a breach of the security of the system that holds personal information. 

“Breach of the security of the system” means unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of [Ohio]. Ohio Rev. Code § 1349.19(A)(1)(a). 

There are two breach exceptions:

• Good faith acquisition of personal information by an employee or agent of the person for the purposes of the person is not a breach of the security of the system, provided that the personal information is not used for an unlawful purpose or subject to further unauthorized disclosure.
• Acquisition of personal information pursuant to a search warrant, subpoena, or other court order, or pursuant to a subpoena, order, or duty of a regulatory state agency.

Ohio Rev. Code §§ 1349.19(A)(1)(b)(i)-(ii).

The Act protects personal information.

“Personal information” means an individual’s name, consisting of the individual’s first name or first initial and last name, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable:

• social security number;
• driver’s license number or state identification card number; or
• account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual’s financial account.

“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or any of the following media that are widely distributed:

• any news, editorial, or advertising statement published in any bona fide newspaper, journal, or magazine, or broadcast over radio or television;
• any gathering or furnishing of information or news by any bona fide reporter, correspondent, or news bureau to news media described in division (A)(7)(b)(i) of this section;
• any publication designed for and distributed to members of any bona fide association or charitable or fraternal nonprofit corporation; or 
• any type of media similar in nature to any item, entity, or activity identified in division (A)(7)(b)(i), (ii), or (iii) of this section.

Ohio Rev. Code §§ 1349.19(A)(7)(a)-(b).

Any person that owns or licenses computerized data that includes personal information. Ohio Rev. Code § 1349.19(B)(1). 

“Person” has the same meaning as in section 1.59 of the Revised Code, except that “person” includes a business entity only if the business entity conducts business in this state. Ohio Rev. Code § 1349.19(A)(6).

"Person" includes an individual, corporation, business trust, estate, trust, partnership, and association. Ohio Rev. Code § 1.59(C).
This includes service providers. 

Any person that, on behalf of or at the direction of another person or on behalf of or at the direction of any governmental entity, is the custodian of or stores computerized data that includes personal information shall notify that other person or governmental entity of any breach of the security of the system in an expeditious manner, if the personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person and if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to a resident of this state. Ohio Rev. Code § 1349.19(C).
The following persons are exempt from Ohio Rev. Code § 1349.19: 

• A financial institution, trust company, or credit union or any affiliate of a financial institution, trust company, or credit union that is required by federal law, including, but not limited to, any federal statute, regulation, regulatory guidance, or other regulatory action, to notify its customers of an information security breach with respect to information about those customers and that is subject to examination by its functional government regulatory agency for compliance with the applicable federal law, is exempt from the requirements of this section.
• This section does not apply to any person or entity that is a covered entity as defined in 45 C.F.R. 160.103, as amended. 

Ohio Rev. Code §§ 1349.19(F)(1)-(2).

N/A

N/A

N/A

N/A

N/A

Yes. Persons are required to notify affected residents of any breach of the security of the system, subject to certain requirements and exceptions. 

Notification Obligation: The Act requires that any person [including custodial or service providers] that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system upon discovery or notification of the breach of the security of the system, immediately, but no later than forty five days after the discovery, to any resident of [Ohio] whose personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person, but only if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to the resident. Ohio Rev. Code §§ 1349.19(B)(1)-(2).

Delay of Notification for Law Enforcement: The person may delay the disclosure or notification required if a law enforcement agency determines that the disclosure or notification will impede a criminal investigation or jeopardize homeland or national security, in which case, the person shall make the disclosure or notification after the law enforcement agency determines that disclosure or notification will not compromise the investigation or jeopardize homeland or national security. Ohio Rev. Code § 1349.19(D).

Form of Notice: Disclosure or notification may be made in the following methods: (i) written notice; (ii) electronic notice, if the person’s primary method of communication with the resident to whom disclosure must be made is by electronic means; (iii) telephone notice; or (iv) substitute notice (described below). Ohio Rev. Code §§ 1349.19(E)(1)-(4).

Substitute Notice: Substitute notice applies in the following circumstances-

• if the person required to disclose demonstrates that the person does not have sufficient contact information to provide notice as described in Ohio Rev. Code § 1349.19(E)(1)-(3) (above); 
• the cost of providing disclosure or notice exceeds two hundred fifty thousand dollars ($250,000); or 
• the affected class of residents that notice is required exceeds five hundred thousand (500,000) persons. Ohio Rev. Code § 1349.19(E)(4). 

Substitute notice methods are-

• electronic mail notice if the person making the disclosure has the electronic mail address for the resident; 
• conspicuous posting of the disclosure or notice on the person’s web site, if the person maintains one; or
• notification to major media outlets, to the extent that cumulative total of the readership, viewing audience, or listening audience of all the outlets so notified equals or exceeds seventy-five percent (75%) of the population of Ohio. Ohio Rev. Code §§ 1349.19(E)(4)(a)-(c). 

Exception: Substitute notice for a person who is a business entity with ten or fewer employees and the cost of providing notice to residents will exceed USD $10,000 shall consist of all of the following: (i) notification by paid advertisement in the local newspaper that is distributed in the geographic area in which the business entity is located, which advertisement shall be of sufficient size that it covers at least one-quarter of the page and published at least once a week for three consecutive weeks; (ii) conspicuous posting of disclosure of notice on the business entity’s web site, if entity maintains one; and (iii) notification to major media outlets in the geographic area in which the business entity is located. Ohio Rev. Code §§ 1349.19(E)(5)(a)-(c).

Consumer Reporting Agency Notification: If a person discovers that more than 1,000 residents of [Ohio] involved in a single occurrence of a breach of the security of the system require notification, then that person shall notify, without unreasonable delay and without hindering the notification to residents, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the disclosure given by the person to the residents of [Ohio]. Ohio Rev. Code § 1349.19(G).

No government notice requirement.

The Ohio Attorney General is the privacy regulator. Ohio Rev. Code § 1349.19(I).

There is no private right of action for a breach per se.

The attorney general may conduct an investigation and bring a civil action seeking legal and equitable relief, including monetary civil penalties. Ohio Rev. Code § 1349.192(A).

For intentional or reckless failure to comply with the Act, a civil penalty is imposed according to the following schedule:

• Days 1-60 = $1,000 per day of noncompliance with the Act.
• Days 61-90 = up to $5,000 per day of noncompliance with the Act.
• Days 91+ = up to $10,000 per day of noncompliance with the Act. 

Ohio Rev. Code §§ 1349.192(A)(1)(a)-(c).

However, Ohio does offer safe harbor protection under the Data Protection Act, Ohio Revised Code §§ 1354.01 to 1354.05, which went into effect on November 2, 2018 and allows for an affirmative defense against data breach lawsuits for covered entities that maintain recognized cybersecurity programs.

A covered entity seeking the affirmative defense must create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for (i) the protection of personal information; or (ii) the protection of both personal information and restricted information, and that reasonably conforms to an industry-recognized cybersecurity framework. Ohio Rev. Code §§ 1354.02(A)(1)-(2).

Written Cybersecurity Program:

• A covered entity’s cybersecurity program shall do the following, as applicable: (A) protect the security and confidentiality of information; (B) protect against any anticipated threats or hazards to the security or integrity of the information; and (C) protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates. Ohio Rev. Code §§ 1354.02(B)(1)-(3).
• A cybersecurity program of “appropriate” scale and scope is determined based on a list of factors, such as the size and complexity of the covered entity, the sensitivity of the information to be protected, the cost and availability of tools and the resources available to the covered entity. See Ohio Rev. Code §§ 1354.02(C)(1)-(5).

Reasonable Conformity:

A covered entity’s cybersecurity program reasonably conforms to an industry-recognized cybersecurity framework if one of the following are satisfied:

• The cybersecurity program conforms to a specific list of national or federal frameworks of industry standards (including, e.g., NIST publications, FedRAMP). See Ohio Rev. Code §§ 1354.03(A)(1)-(2); The covered entity is subject and its cybersecurity program conforms to specific laws or regulations (e.g., the Health Insurance Portability and Accountability Act ("HIPAA"), Gramm-Leach-Bliley Act ("GLBA")). See Ohio Rev. Code §§ 1354.03(B)(1)-(2); or
• The cybersecurity program conforms with the payment card industry ("PCI") data security standard. Ohio Rev. Code §§ 1354.03(C)(1)-(2).

“Covered entity" means a business that accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside this state. Ohio Rev. Code § 1354.01(B).

"Personal information" has the same meaning as in section 1349.19 of the Revised Code. Ohio Rev. Code § 1354.01(D).

“Restricted information" means any information about an individual, other than personal information, that, alone or in combination with other information, including personal information, can be used to distinguish or trace the individual's identity or that is linked or linkable to an individual, if the information is not encrypted, redacted, or altered by any method or technology in such a manner that the information is unreadable, and the breach of which is likely to result in a material risk of identity theft or other fraud to person or property. Ohio Rev. Code § 1354.01(E).

This law does not affect the notification laws under Ohio Revised Code § 1349.19.

There is no private right of action hereunder. Ohio Rev. Code § 1354.04.

N/A

The Ohio Personal Privacy Act ("OPPA"), House Bill 376, was introduced on July 13, 2021, in the Ohio House of Representatives. The crafting of the Bill was led by InnovateOhio, Governor Mike DeWine’s technology innovation office headed by Lt. Governor Jon Husted.

OPPA would apply only to organizations that conduct business in Ohio or target Ohio consumers and:

1. have gross annual revenue generated in Ohio that exceeds $25 million,
2. process or control data of 100,000 or more Ohio consumers, or
3. derive 50% or more of gross revenue from selling or processing data of 25,000 or more Ohio consumers.

Exempted from OPPA would be government agencies, institutions of higher education, financial institutions and affiliates, business-to-business transactions, insurers and private insurance agents, among others. Similarly, OPPA also would not apply to information subject to certain other statutes governing personal data, such as GLBA, HIPAA, FERPA, and FCRA.

The Bill provides Ohio residents with rights regarding when their personal data is collected by businesses, including:

• Right to Know – right to know what data is collected for what purposes and for businesses to provide a reasonably accessible, clear and conspicuously posted privacy policy with affirmative consent for changes and a reasonable means to opt out of having their data processed or disseminated;
• Right to Access – right to request access to and the disclosure of personal data collected for the preceding 12-month period and to be provided such data in an electronic, portable, readily usable format;
• Right to Delete – right to request a business delete data collected from the consumer for commercial purposes that the business maintains in an electronic format (notably, this provision has 12 exemptions);
• Right to Opt Out – right to opt out of a business’ sale of personal data to third parties (notably, there is no requirement for a "Do Not Sell My Personal Information" link like the CCPA/CPRA requires), and
• Right to Non-discrimination – right to non-discrimination for exercising these rights with the caveat that businesses could charge different prices or rates for individuals who exercise their rights under OPPA if for legitimate business reasons or as otherwise permitted or required by applicable law.

The Bill was referred to committee in September of 2021 and voted out of committee in February 2022. The Bill was scheduled for a floor vote in the Ohio House of Representatives on February 16, 2022, but was not voted on. The Bill maintains its place on the legislative calendar and could be called up again in the future. A major criticism of the Bill has been that it does not include a private right of action.