800.668.7020
M-F 8:00AM TO 5:30PM CST
Better coverage. Better price.

Data Breach Laws in Ohio: Reporting Requirements and Deadlines

In Ohio, any business that experiences a harmful data breach must notify affected OH residents within 45 days by mail, telephone, or email. Businesses can use public service announcements if more than 500,000 people are affected, notification costs exceed $250,000, or the business has 10 or fewer employees and notification costs exceed $10,000. When more than 1,000 people are affected by a breach, all consumer-reporting agencies must be informed.

Name of Law / Statute

N/A

Definition of Protected Information

Combination of (1) name or other identifying info, PLUS (2) one or more of these "data" elements: SSN; driver's license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes, BUT any identifying info/mark + data works

Who Is Subject to Law?

Any business that owns or licenses PI of Ohio residents

Notification of Consumers?

Yes, but only if breaches "materially compromise the security, confidentiality, or integrity of" PI

By what means?

Written, phone, or electronic; if >1,000 residents, must notify consumer reporting agencies; must be within 45 days of discovery of breach

Substitute Notice Threshold?

If business has fewer than 10 employees and cost of notice >$10,000, OR if cost of notice >$250,000 or involves >500k residents

Notification of authorities / regulators required?

No

By what means?

N/A

Regulatory Fines

Up to $1k/day of non-compliance, $5k/day after 60 days, $10k/day after 90 days

Credit monitoring requirement?

No

Private lawsuits allowed?

No

Private damages cap?

N/A

Regulatory actions allowed?

Yes

HIPAA Compliance exemption?

N/A

Other  (e.g., timeframe)

Law does not apply if PI was encrypted or redacted

Link to complete law

http://codes.ohio.gov/orc/1349.19

Read the full text of Ohio’s data breach law.

70% of businesses raise prices or cut hiring when sued