Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 45 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws up to $10,000 per day if over 90 days

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • The Attorney General may investigate and bring a civil action upon an alleged failure by a person to comply with laws regarding a security breach.
  • If more than 1,000 residents of this state are involved in a single occurrence of a breach, notification is required, without unreasonable delay, to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • Owners of personal information or restricted information must create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information.
  • Violations relating to §1349.17 (Restricting recording credit card, telephone or social security numbers) is considered and may result in penalties attributed to a minor misdemeanor.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using those states’ rules.
Statutes and Laws
  • Ohio Rev. Code §§ 1354.01-1354.05 Data Protection Act (effective 11/2/2018)

    Ohio Rev. Code § 1349.17 Restricting recording credit card, telephone or social security numbers (1993)

    Ohio Rev. Code § 1349.18 Printing credit card number and expiration date on receipt (2004)

    Ohio Rev. Code § 1349.19 Private disclosure of security breach of computerized personal information data (2006)

    Ohio Rev. Code § 1349.99 Penalty (regarding violations of § 1349.17) (1999)

BAck to map