Q: What must I do if the personally identifiable information (PII) of my employees or customers is lost or stolen?
A: According to the Privacy Rights Clearinghouse, 616 data breaches have occurred nationwide from January 2013 through January 2014, affecting more than 56,318,949 PII records. Laws of 46 states as well as the U.S. Virgin Islands and Puerto Rico require that victims of a data security breach be notified. Federal laws require health care providers to notify victims of a data security breach involving personal health information, and that financial institutions notify their customers of a data privacy breach.
Your obligation to notify victims of a data security breach experienced by your company is determined by:
• whether your company is subject to the Health Insurance Portability and Accountability Act (HIPAA) or is a financial institution subject to the Gramm-Leach-Bliley Act;
• the state in which the victim lives;
• the nature of the PII what was lost or stolen; and
• the likelihood that the lost or stolen data may harm your customers or employees.
In July 2003, California was one of the first states to enact a Security Breach Notification Act. Because California’s law applies to the breach of any California resident’s records, it has had nationwide impact. Businesses and organizations located throughout the United States that did business with California residents found they had to meet California’s notification requirements, even though they had no offices or operations in California. Therefore, rather than simply notifying California residents, businesses experiencing security breaches chose to notify all of their customers. As a result, residents of states other than California (and the public via news reports) became increasingly aware of the data security problem.
Following California’s lead, most of the states and U.S. territories have enacted data security breach notification laws. These laws generally require organizations or governmental agencies to notify consumers orally or in writing if there is unauthorized acquisition of or access to unencrypted computerized personal information. Some states narrow the requirement to require notification only if the organization or agency reasonably believes the data security breach has resulted in or could result in identity theft or fraud.
Ohio’s data security breach notification law, effective on February 17, 2006, applies to the PII of Ohio residents. The law defines a “breach of the security of the system” as unauthorized access to and acquisition of unencrypted computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that results in, or is reasonably believed to cause a material risk of, identity theft or fraud to the person or property of an Ohio resident.
Q: Who is covered by Ohio’s law?
A: The law applies to any individual or business entity (both for-profit and not-for-profit) that conducts business in Ohio and that owns or licenses computerized data that includes personal information about an Ohio resident. The law also applies to individuals or business entities that keep computerized personal information of Ohio residents maintained by any state agency or political subdivision. The federal government requires federal and state-chartered financial institutions to notify their customers of data security breach, so they are exempted from Ohio’s requirements. Health care providers also may be exempted since they are subject to the federal Health Insurance Portability and Accountability Act notification requirements.
Q: What information is covered?
A: The “personal information” the law addresses includes an individual’s name (first name or first initial and last name), combined with and linked to the individual’s:
• Social Security number;
• driver’s license number or state identification card number; or
• account number, credit or debit card number, in combination with any necessary security or access code or password.
Q: What must my business do if we discover a breach of security?
A: Your business must conduct a reasonable and prompt investigation to determine the likelihood that any personal information has been or may be misused. If there is a reasonable likelihood of misuse, the owner or licensee of the computerized data must notify the affected Ohio residents as soon as possible. The notice may be by mail or telephone, but must be done as quickly as possible, and no more than 45 days after the breach is discovered. If the breach involves more than 1,000 Ohio residents, you must also notify national credit reporting agencies. You may use electronic notification if that is your business’s primary way of communicating with the person whose personal information has been breached.
Q: What if I don’t have sufficient contact information to provide notice?
A: If you don’t have the necessary contact, or if providing notice in writing or by telephone would exceed $250,000, or the breach affected more than 500,000 Ohio residents, you may provide substitute notice by:
• electronic mail notice if the person has an email address;
• conspicuous posting on your website; or
• notification to major media outlets (if the outlets’ audience exceeds 75 percent of Ohio’s population).
Q: What are the notification requirements for small business?
A: If your business has ten or fewer employees and the cost of providing notification to the breach victims will exceed $10,000, you can meet the notification requirements by:
• taking out a large (at least one-quarter of a page) paid advertisement in a local newspaper distributed in your business’s geographic area, to be published once a week for three consecutive weeks;
• conspicuously posting the notification on your business’s website; or
• providing notification to major media outlets in your business’s geographic area.
Q: Who enforces Ohio’s security breach notification law?
A: Ohio’s attorney general has exclusive enforcement authority, and the law does not authorize private lawsuits for failure to provide the required notice. The attorney general may conduct an investigation and bring claims asking a court to grant an injunction against the individual, business entity or government agency for failing to comply with the law. If the individual, business entity or government agency fails to comply with a court injunction, courts may impose civil monetary penalties of up to $10,000 per day.
Law You Can Use is a weekly consumer legal information column provided by the Ohio State Bar Association. This article was prepared by Jane Hils Shea, an attorney in the Cincinnati office of Frost Brown Todd LLC.