PDF version of this analysis
Fiscal Note for this version of analysis
Text of latest version of this bill
Status Report for this bill

Bill Analysis

Legislative Service Commission

H.B. 104
126th General Assembly
(As Introduced)

BILL SUMMARY TABLE OF CONTENTS
Disclosure or notification by state agency of breach of security of
personal information system
.. 3
Disclosure or notification by any person or business of breach of
security of personal information system
.. 5


CONTENT AND OPERATION
Disclosure or notification by state agency of breach of security of personal information system
The bill generally provides for a state agency's disclosure to Ohio residents of any breach of security of the agency's computerized data that includes personal information or notification of any such breach of security to the owner or licensee of personal information maintained by the state agency.
Requirement for disclosure or notification
The bill requires any "state agency" that owns or licenses computerized data that includes "personal information" to disclose any "breach of the security of the system," following discovery or notification of the breach in the security of the data, to any resident of Ohio whose unencrypted personal information was, or reasonably is believed to have been, acquired by an unauthorized person.  (See "Definitions for purposes of disclosure or notification by state agency," below, for definitions of the terms in quotation marks.)  The state agency must make that disclosure in the most expedient time possible and without unreasonable delay, subject to the legitimate needs of law enforcement activities described below, and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.  (R.C. 1347.12(B).)
The bill also requires any state agency that maintains computerized data that includes personal information that the state agency does not own to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or reasonably is believed to have been, acquired by an unauthorized person (R.C. 1347.12(C)).
The bill permits the state agency to delay the required disclosure or notification described in the two preceding paragraphs if a law enforcement agency determines that the disclosure or notification will impede a criminal investigation, in which case, the state agency must make the disclosure or notification after the law enforcement agency determines that disclosure or notification will not compromise the investigation (R.C. 1347.12(D)).
Methods of disclosure or notification
The bill provides that a state agency may disclose or make a notification as described above by the following methods (R.C. 1347.12(E)):
(1) Written notice;
(2) Electronic notice, if the disclosure or notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. 7001, as amended (Electronic Signatures in Global and National Commerce Act) (see COMMENT);
(3) Notice consisting of all of the following:  (a) electronic mail notice when the state agency has electronic mail addresses for the subject persons requiring disclosure or notification, (b) conspicuous posting of the disclosure or notice on the state agency's website, if the agency maintains one, and (c) notification to major statewide media.
The bill provides that notwithstanding the above methods for making a disclosure or notification, a state agency that maintains its own disclosure or notification procedures as part of an information security policy for the treatment of personal information, which procedures also are consistent with the timing requirements of the bill, is in compliance with the bill's disclosure or notification requirements, if it notifies subject persons requiring disclosure or notification in accordance with its policies in the event of a breach of the security of the system  (R.C. 1347.12(F)).
Definitions for purposes of disclosure or notification by state agency
The bill defines the following terms for purposes of its provisions requiring a state agency to make the disclosure or notification described above (R.C. 1347.12(A)):
"State agency" means every organized body, office, or agency established by the laws of Ohio for the exercise of any function of state government (R.C. 1.60).
"Personal information" means an individual's (defined as a natural person) first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:  (1) social security number, (2) driver's license number or state identification card number, (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
"Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. 
"Breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a state agency.  Good faith acquisition of personal information by an employee or agent of the state agency for the purposes of the state agency is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.
Disclosure or notification by any person or business of breach of security of personal information system
The bill generally provides for the disclosure by any person or business conducting business in Ohio to residents of Ohio of any breach of security of computerized data that includes personal information.
Requirement for disclosure or notification
The bill requires any person or "business" that conducts business in Ohio and that owns or licenses computerized data that includes "personal information" to disclose any "breach of the security of the system," following discovery or notification of the breach in the security of the data, to any resident of Ohio whose unencrypted personal information was, or reasonably is believed to have been, acquired by an unauthorized person.  (See "Definitions for purposes of disclosure or notification by any person or business," below, for definitions of the terms in quotation marks.)  The person or business must make the required disclosure in the most expedient time possible and without unreasonable delay, subject to the legitimate needs of law enforcement activities described below and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.  (R.C. 1349.19(B).)
The bill also requires any person or business that maintains computerized data that includes personal information that the person or business does not own to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or reasonably is believed to have been, acquired by an unauthorized person (R.C. 1349.19(C)).
The bill permits any person or business to delay the required disclosure or notification as described in the two preceding paragraphs if a law enforcement agency determines that the disclosure or notification will impede a criminal investigation, in which case, the person or business must make the disclosure or notification after the law enforcement agency determines that disclosure or notification will not compromise the investigation (R.C. 1349.19(D)).
Methods of disclosure or notification
The bill provides that a person or business may disclose or make a notification as described above by the following methods (R.C. 1349.19(E)):
(1) Written notice;
(2) Electronic notice, if the disclosure or notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. 7001, as amended (Electronic Signatures in Global and National Commerce Act) (see COMMENT);
(3) Notice consisting of all of the following:  (a) electronic mail notice when the person or business has electronic mail addresses for the subject persons requiring disclosure or notification, (b) conspicuous posting of the disclosure or notice on the person's or business' website, if the person or business maintains one, and (c) notification to major statewide media.
The bill provides that notwithstanding the above methods for making a disclosure or notification, a person or business that maintains its own disclosure or notification procedures as part of an information security policy for the treatment of personal information, which procedures also are consistent with the timing requirements of the bill, is in compliance with the bill's disclosure or notification requirements, if the person or business notifies subject persons requiring disclosure or notification in accordance with its policies in the event of a breach of the security of the system (R.C. 1349.19(F)).
Nonwaivable duties
The bill provides that any waiver of the above provisions requiring disclosure or notification by a person or business is contrary to public policy and is void and unenforceable (R.C. 1349.19(G)). 
Cause of action
The bill provides that any individual injured by a violation of any of the above provisions requiring disclosure or notification by a person or business has a cause of action for recovery of damages (R.C. 1349.19(H)).
Definitions for purposes of disclosure or notification by any person or business
The bill defines the following terms for purposes of its provisions requiring any person or business to make the above described disclosure or notification  (R.C. 1349.19(A)):
"Business" means both of the following:
(1) A sole proprietorship, partnership, corporation, association, or other group, however organized and whether operating for profit or not for profit, including a financial institution organized, chartered, or holding a license authorizing operation under the laws of Ohio, any other state, the United States, or any other country, or the parent or subsidiary of a financial institution;
(2) An entity that destroys records.
"Records" means any material, regardless of the physical form, on which information is recorded or preserved by any means, including in written or spoken words, graphically depicted, printed, or electromagnetically transmitted.  "Records" does not include publicly available directories containing information an individual voluntarily has consented to have publicly disseminated or listed, such as name, address, or telephone number.
"Personal information" is defined in the same manner as the definition of "personal information" in "Definitions for purposes of disclosure or notification by state agency," above.
"Breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business.  Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.
COMMENT

Existing 15 U.S.C. 7001, not in the bill, provides as follows:

HISTORY

ACTIONDATEJOURNAL ENTRY
    Introduced
03-01-05p.         240




H0104-I-126.doc/jc