Home |  Contact |  Site Map

 
  Firm Information  |  Attorneys  |  Industries   |  Practices   |  Publications   |  Seminars   |  Recruiting   |  Resource Centers
 

Resources

2007 Publications
2006 Publications
Archived Publications
Search Publications
 

   Publications

 

New Ohio Security Breach Law:
Ohio House Bill 104

Miranda C. Motter
Bricker & Eckler LLP
December 2005

Full text of H.B. 104

The Ohio General Assembly recently approved legislation that requires state agencies and certain business entities to notify Ohio consumers in the event of a breach of security. House Bill 104 was enacted in response to a number of incidents involving the release of personal information for thousands of customers across the nation. Personal information consists of an individual’s name, accompanied by a social security number, a driver’s license or state identification number, or an account, credit, or debit card number that would permit access to the individual’s financial account. 

The bill’s notification requirements apply to any business entity, which is defined as a sole proprietorship, a partnership, a corporation, an association, financial institution, or other group, conducting business in Ohio. However, entities that are regulated by the Health Insurance Portability and Accountability Act (HIPAA) are exempt from the application of the bill’s notification requirements. Additionally, financial institutions, trust companies, credit unions, or affiliates that are required by federal law to notify their customers of an information security breach, and are subject to an examination by their functional government regulatory agency for compliance, are also exempt. 

When a business discovers or is notified of a security breach involving personal information, that business must notify the affected Ohio residents within 45 days. Custodians or “storers” of computerized data that includes personal information for other businesses must notify those businesses of the breach. Personal information consists of an individual’s name, accompanied by a social security number, a driver’s license or state identification number, or an account, credit, or debit card number that would permit access to the individual’s financial account. 

When a business is required to notify more than 1,000 Ohio residents, that business must also notify all consumer reporting agencies that compile and maintain files on customers on a nationwide basis of the timing, distribution, and context of the notification given by the business to the residents. 

Businesses that are required to make notification under House Bill 104 must do so by a written notice, electronic notice, or telephone notice. The bill permits substitute notice in certain situations.

House Bill 104 authorizes the Ohio Attorney General to enforce the bill’s notification requirements. Investigations may be conducted if there is reason to believe that a business has failed or is failing to comply with the notification requirements. Additionally, the bill provides the Attorney General the exclusive authority to bring a civil action for noncompliance. 

Governor Taft signed House Bill 104 on November 17, 2005, and as a result, the bill will become effective on February 17, 2006. 

Once effective, House Bill 104’s notification requirements will apply to most business entities. Therefore, it is extremely important for businesses to monitor their systems for breaches in security and to understand the notification requirements. 

 

 

 

 

Copyright 2005-2008, Bricker & Eckler LLP, all rights reserved.  Please read our Privacy Notice.