Organizations must create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information.

If any state residents are affected by a breach, the breached Organization must give notice to each affected individual within 45 days of discovery of the breach. If more than 1,000 residents of this state are involved in a single occurrence of a breach, notification is required, without unreasonable delay, to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.

If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

Vendors must notify Organizations as soon as possible after the discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification.

Ohio passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days.

The Attorney General may bring an action for violations of the breach notification requirements that brings a penalty of up to $1,000 per day for failed compliance. Further failure to comply will result in fines of $5,000 per day after 60 days and $10,000 per day after 90 days.