If your company collects the “personal information” of customers or employees on its computers and those people are residents of Ohio, it is vital that you establish a system to protect this information and respond accordingly in the event of a security breach. Ohio Revised Code Section 1349.19 establishes notification requirements if the electronic security system protecting this information is breached. If your business suffers a data breach and does not follow the notification requirements outlined under this law, you may be subject to penalties of $10,000 per day.
What is personal information?
Ohio law defines “personal information” as one’s first name (or first initial) and last name combined with one of the following: (1) social security number, (2) driver’s license number or state identification card number, or (3) account or credit card number combined with any security code, access code, or password allowing access to that account. For example, if you maintain an electronic database of your employees’ names and social security numbers and those employees are residents of Ohio, you are collecting personal information and are subject to this law.
What constitutes a breach?
A breach of personal information occurs when someone gains unauthorized access to and acquires this information in a manner that compromises its confidentiality. The breach must cause a material risk of identity theft or fraud or reasonably lead one to believe that a risk of identity theft or fraud has or will occur. If a breach occurs or is believed to have occurred, certain notification requirements must be made to those whose personal information is at risk.
What do you do if your business suffers a breach?
A prompt investigation of the breach must be conducted to determine its scope and severity. If there is a reasonable likelihood that personal information will be misused, the business must notify the individuals who have had their information compromised. Notification may be done by mail or telephone. If the primary method of communication with the compromised individual is by electronic communication, an electronic notification is sufficient. In any event, notification must be made to those affected as quickly as possible and must not be made any later than 45 days after the breach has been discovered. If more than 1,000 individuals are affected, notification to national credit bureaus must be made. Different notification rules apply in special cases, such as businesses with fewer than 10 employees, a breach in which more than 500,000 people are affected, a breach in which the cost to notify those affected would exceed $250,000, or when the contact information for those affected is not sufficient.
How do you prepare for a data breach?
Due to the increasing frequency of security breaches, the increasing number of businesses that collect personal information, and the possibility of a $10,000 per day penalty for failing to comply with the data breach notification law, it is imperative that you plan for a data security breach. Know the definition of “personal information” and whether or not you collect it. Know the definition of “breach” and monitor your data accordingly. Know what notification you must give, when you must give it, and to whom it must be made should a breach occur. Consider hiring a “breach coach” or appointing someone within your company to this role so that any security breach can be effectively managed. Also consider contracting with customers and employees regarding how and when notification of any breach will be made. Such contracts are permissible as long as they are within the confines of the notification law.
If you collect personal information, or are unsure whether you do, talk to a legal professional about planning your data security breach response.