Ohio Passes Data Security Breach Legislation

December 2005

The Ohio legislature has enacted a law that regulates data security breaches.  H.B. 104 was approved on November 17, 2005 and becomes effective on February 17, 2006 .  The law applies to any individual or commercial entity that conducts business in the state of Ohio and that owns or licenses computerized data that includes personal information about a resident of Ohio .  The law also applies to any state agency or agency of a political subdivision that engages in such activities.  Should such individual, or entity or state agency become aware of a breach of security in its system, it must conduct a reasonable and prompt investigation to determine the likelihood that any personal information has or may be misused.  If that investigation determines that there is a reasonable likelihood that such misuse may occur, it must give notice as soon as possible to the affected Ohio residents.

Where there is a licensee or owner of the information for whom the individual or entity operates a data system, the individual or owner must give notice to and cooperate with such owner or licensee immediately following discovery of the breach, including sharing with the owner or licensee information relevant to the breach.

For purposes of H.B. 104, “personal information” includes an individual’s name (first name or first initial and last name), in combination with or linked to any one or more of the following data elements that relate to the resident, where such information is not encrypted:  (1) Social Security number; (2) driver’s license number or state identification card number; or (3) account number, credit or debit card number, in combination with any necessary security or access code or password.

With the enactment of this legislation, Ohio joins a growing number of states that have decided to act on this issue in the wake of the highly publicized LEXIS-NEXIS, DSW Shoe Warehouse and Choicepoint security breaches.  California was the first state to require consumers be notified of the possibility of misuse of personal information, and at least 11 states have enacted similar measures, although these measures vary in the nature of the duties imposed on the data servicers.  As yet, the U.S. Congress has not been able to reach agreement on legislation that would preempt state laws and establish a national standard.

For additional information, please contact Jane Shea at jshea@fbtlaw.com or (513) 651-6961 .


Additional Documents: