Ohio’s Security Breach Notification Act

For millions of American consumers, identity theft is a scary subject. With the proliferation of information technology in every aspect of daily life, it has become increasingly difficult for consumers to know what sorts of information businesses keep about them, and what is done with that information. It is no longer uncommon to hear news reports wherein a stolen laptop or hacked computer system puts at risk the personal information of thousands, or even millions of people.

These kinds of security breaches have prompted many state governments to pass mandatory disclosure statutes to protect consumers. These laws require businesses and other organizations to notify anyone affected by a security breach that puts their personal information at risk. The purpose of such notification is to give consumers the opportunity to change passwords, and to monitor their accounts or credit reports for unauthorized use. Ohio passed its own notification law in 2006.

Since so many businesses now keep customers’ personal information on file, business owners should take care to understand what the Security Breach Notification Act covers, and what it requires of them. The law applies to all types of business organizations that own computerized personal information, which is defined as an individual’s full name in combination with one or more of the following:

Social security number
Driver’s license number or state ID card number
Credit card, debit card or account number and password which would permit access to an individual’s financial account

Businesses should consider carefully whether or not it is necessary to keep this type of information on file. Those that do should consider storing such information in an encrypted or redacted form, which will provide a measure of protection to their customers. When personal information is compromised by a security breach, businesses have 45 days to notify affected persons who are Ohio residents. The law applies to any security breach that “causes or reasonably is believed will cause a material risk of identity theft or other fraud.” Ohio Rev. Code S 1349.19(B)(1). The primary notification methods outlined in the statute include written notification, telephone notification or electronic notification (when this is the primary means of communication with the affected resident). Alternative methods of notification are available for businesses that can demonstrate one of the following:

There is not adequate contact information to make the required disclosure
The cost of disclosure would exceed $250,000
The number of residents affected is more than 500,000
The business has 10 or fewer employees and the cost of disclosure would exceed $10,000

Furthermore, businesses must also notify consumer reporting agencies when a security breach affects more than 1,000 people.

Although the law does not provide a private right of action (that is, an affected individual cannot sue a company that fails to disclose a security breach), it does allow the Ohio Attorney General to impose severe fines for violations. Understanding the requirements of the Security Breach Notification Act is the first step for those who wish to protect themselves and their customers. Other organizations may even want to consult with their attorneys and/or IT professionals to assess and mitigate their security risks.