Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 45 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor protection/security program
  • Vendor Notification to Organization of breach/suspected breach
Fines & Penalties

Violations of breach notification laws:

- up to $1,000 per day ($10,000 after 90 days)

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Organizations must create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information.
  • If any state residents are affected by a breach, the breached Organization must give notice to each affected individual within 45 days of discovery of the breach.
  • If more than 1,000 residents of this state are involved in a single occurrence of a breach, notification is required, without unreasonable delay, to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • Vendors must notify Organizations as soon as possible after discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • The Attorney General may bring an action for violations of the breach notification requirements that brings a penalty of up to $1,000 per day for failed compliance. Further failure to comply will result in fines of $5,000 per day after 60 days and $10,000 per day after 90 days.
  • Ohio’s sector-specific Cybersecurity Requirements for Insurance Companies law includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security. Licensees have until March 20, 2021 to comply with the vendor management requirements.
Statutes and Laws
  • Ohio Rev. Code §§ 1354.01-1354.05 Data Protection Act

    Ohio Rev. Code § 1349.17 Restricting recording credit card, telephone or social security numbers

    Ohio Rev. Code § 1349.18 Printing credit card number and expiration date on receipt

    Ohio Rev. Code § 1349.19 Private disclosure of security breach of computerized personal information data

    Ohio Rev. Code § 3965.01-3965.11 Cybersecurity Requirements for Insurance Companies

BAck to map