PDF version of this analysis
Fiscal Note for this version of analysis
Text of latest version of this bill
Status Report for this bill

Bill Analysis

Legislative Service Commission

Sub. H.B. 104
126th General Assembly
(As Reported by H. Civil and Commercial Law)

BILL SUMMARY TABLE OF CONTENTS
Disclosure or notification by state agency of breach of security of personal information system   4 Disclosure or notification by any person or business of breach of security of personal information system   7 Investigation and enforcement by Attorney General 11 Statewide concern--preemption. 12
CONTENT AND OPERATION
Disclosure or notification by state agency of breach of security of personal information system
The bill generally provides for a state agency's disclosure to Ohio residents of any breach of security of the agency's computerized data that includes personal information or notification of any such breach of security to another state agency on behalf of which computerized data that includes personal information is maintained by the state agency.
Requirement for disclosure or notification
The bill requires any "state agency" that "maintains" computerized data that includes "personal information" to disclose any "breach of the security of the system," following its discovery or notification of the breach of the security of the system, to any resident of Ohio whose personal information was, or reasonably is believed to have been, acquired by an unauthorized person.  (See "Definitions for purposes of disclosure or notification by state agency," below, for definitions of the terms in quotation marks.)  The disclosure may be made pursuant to any provision of a contract entered into by the state agency with any person or another state agency prior to the date the breach of the security of the system occurred if that contract does not conflict with any provision of the bill.  For the purposes of this provision, a resident of this state is an individual whose principal mailing address as reflected in the records of the state agency is in Ohio.  The state agency must make that disclosure in the most expedient time possible but not later than 45 days following its discovery or notification of the breach in the security of the system, subject to the legitimate needs of law enforcement activities described below, and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.  (R.C. 1347.12(B).)
The bill also requires any state agency that on behalf of another state agency maintains computerized data that includes personal information to notify that other state agency of any breach of the security of the system in an expeditious manner, if the personal information was, or reasonably is believed to have been, acquired by an unauthorized person (R.C. 1347.12(C)).
The bill permits the state agency to delay the required disclosure or notification described in the two preceding paragraphs if a law enforcement agency determines that the disclosure or notification will impede a criminal investigation, in which case, the state agency must make the disclosure or notification after the law enforcement agency determines that disclosure or notification will not compromise the investigation (R.C. 1347.12(D)).
Methods of disclosure or notification
The bill provides that a state agency may disclose or make a notification as described above by any of following methods (R.C. 1347.12(E)):
(1) Written notice;
(2) Electronic notice, if the disclosure or notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. 7001, as amended (Electronic Signatures in Global and National Commerce Act) (see COMMENT);
(3) Telephone notice;
(4) Notice consisting of all of the following:  (a) electronic mail notice when the state agency has electronic mail addresses for the subject persons requiring disclosure or notification, (b) conspicuous posting of the disclosure or notice on the state agency's website, if the agency maintains one, and (c) notification to major statewide media.
The bill provides that notwithstanding the above methods for making a disclosure or notification, a state agency that maintains its own disclosure or notification procedures as part of an information privacy or security policy for the treatment of personal information, which procedures also are consistent with the timing requirements of the bill, is in compliance with the bill's disclosure or notification requirements, if it notifies subject persons requiring disclosure or notification in accordance with its policies in the event of a breach of the security of the system  (R.C. 1347.12(F)).
Disclosure or notification of breach of security of system involving more than 1,000 persons:  consumer reporting agencies
The bill provides that if a state agency discovers circumstances that require disclosure under the bill to more than 1,000 Ohio residents involved in a single occurrence of a breach of the security of the system, the state agency must notify, without unreasonable delay, all "consumer reporting agencies that compile and maintain files on consumers on a nationwide basis" (see "Definitions for purposes of disclosure or notification by state agency," below) of the timing, distribution, and content of the disclosure given by the state agency to the Ohio residents (R.C. 1347.12(G)).
Definitions for purposes of disclosure or notification by state agency
The bill defines the following terms for purposes of its provisions requiring a state agency to make the disclosure or notification described above (R.C. 1347.12(A)):
"State agency" means every organized body, office, or agency established by the laws of Ohio for the exercise of any function of state government (R.C. 1.60).
"Personal information" means an individual's (defined as a natural person) first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted, redacted, or altered by any method or technology:  (1) social security number, (2) driver's license number or state identification card number, or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
"Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.
"Breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a state agency and that causes or reasonably is believed to cause injury or loss to the person or property of a resident of this state.  Good faith acquisition of personal information by an employee or agent of the state agency for the purposes of the state agency is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.  Acquisition of personal information pursuant to a search warrant, subpoena, or other court order is not a breach of the security of the system.
"Consumer reporting agency that compiles and maintains files on consumers on a nationwide basis" means a consumer reporting agency that, for the purpose of furnishing consumer reports to third parties bearing on a consumer's creditworthiness, credit standing, or credit capacity, regularly engages in the practice of assembling or evaluating, and maintaining, each of the following regarding consumers residing nationwide:  (1) public record information, and (2) credit account information from persons who furnish that information to the credit reporting agency regularly and in the ordinary course of business.
Existing law defines the following terms, and the definitions apply to the provisions requiring a state agency to make the disclosure or notification described above (R.C. 1347.01(D) and (F)--definitions of terms used in R.C. Chapter 1347. (Personal Information Systems Law), which includes the bill's provisions)[1]:
"Maintains" means state or local agency ownership of, control over, responsibility for, or accountability for systems and includes, but is not limited to, state or local agency depositing of information with a data processing center for storage, processing, or dissemination.  An agency "maintains" all systems of records that are required by law to be kept by the agency.
"System" means any collection or group of related records that are kept in an organized manner and that are maintained by a state or local agency, and from which personal information is retrieved by the name of the person or by some identifying number, symbol, or other identifier assigned to the person. "System" includes both records that are manually stored and records that are stored using electronic data processing equipment. "System" does not include collected archival records in the custody of or administered under the authority of the Ohio Historical Society, published directories, reference materials or newsletters, or routine information that is maintained for the purpose of internal office administration, the use of which would not adversely affect a person.
Disclosure or notification by any person or business of breach of security of personal information system
The bill generally provides for the disclosure by any person or business conducting business in Ohio to residents of Ohio of any breach of security of computerized data that includes personal information.
Requirement for disclosure or notification
The bill requires any person or "business" that conducts business in Ohio and that "maintains" computerized data that includes "personal information" to disclose any "breach of the security of the system," following its discovery or notification of the breach of the security of the system, to any resident of Ohio whose personal information was, or reasonably is believed to have been, acquired by an unauthorized person.  (See "Definitions for purposes of disclosure or notification by any person or business," below, for definitions of the terms in quotation marks.)  The disclosure may be made pursuant to any provision of a contract entered into by the person or business with another person or business prior to the date the breach of the security of the system occurred if that contract does not conflict with any provision of the bill and does not waive any provision of the bill.  The person or business must make the required disclosure in the most expedient time possible but not later than 45 days following its discovery or notification of the breach in the security of the system, subject to the legitimate needs of law enforcement activities described below and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.  For the purposes of this provision, a resident of this state is an individual whose principal mailing address as reflected in the records of the person or business is in Ohio.  (R.C. 1349.19(B).)
The bill also requires any person or business that on behalf of another person or business maintains computerized data that includes personal information to notify that other person or business of any breach of the security of the system in an expeditious manner, if the personal information was, or reasonably is believed to have been, acquired by an unauthorized person (R.C. 1349.19(C)).
The bill permits any person or business to delay the required disclosure or notification as described in the two preceding paragraphs if a law enforcement agency determines that the disclosure or notification will impede a criminal investigation, in which case, the person or business must make the disclosure or notification after the law enforcement agency determines that disclosure or notification will not compromise the investigation (R.C. 1349.19(D)).
Methods of disclosure or notification
The bill provides that a person or business may disclose or make a notification as described above by any of the following methods (R.C. 1349.19(E)):
(1) Written notice;
(2) Electronic notice, if the disclosure or notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. 7001, as amended (Electronic Signatures in Global and National Commerce Act) (see COMMENT);
(3) Telephone notice;
(4) Notice consisting of all of the following:  (a) electronic mail notice when the person or business has electronic mail addresses for the subject persons requiring disclosure or notification, (b) conspicuous posting of the disclosure or notice on the person's or business' website, if the person or business maintains one, and (c) notification to major statewide media.
The bill provides that notwithstanding the above methods for making a disclosure or notification, a person or business that maintains its own disclosure or notification procedures as part of an information privacy or security policy for the treatment of personal information, which procedures also are consistent with the timing requirements of the bill, is in compliance with the bill's disclosure or notification requirements, if the person or business notifies subject persons requiring disclosure or notification in accordance with its policies in the event of a breach of the security of the system (R.C. 1349.19(F)(1)).
The bill provides that a financial institution, trust company, or credit union or any affiliate of a financial institution, trust company, or credit union that is required by federal law, including, but not limited to, any federal statute, regulation, regulatory guidance, or other regulatory action, to notify its customers of an information security breach with respect to information about those customers and that is subject to examination by its functional government regulatory agency for compliance with the applicable federal law, is exempt from the bill's requirements (R.C. 1349.19(F)(2)).
Disclosure or notification of breach of security of system involving more than 1,000 persons:  consumer reporting agencies
The bill provides that if a person or business discovers circumstances that require disclosure under the bill to more than 1,000 Ohio residents involved in a single occurrence of a breach of the security of the system, the person or business must notify, without unreasonable delay, all "consumer reporting agencies that compile and maintain files on consumers on a nationwide basis" (see "Definitions for purposes of disclosure or notification by any person or business," below) of the timing, distribution, and content of the disclosure given by the person or business to the Ohio residents (R.C. 1349.19(G)).
Nonwaivable duties
The bill provides that any waiver of the above provisions requiring disclosure or notification by a person or business is contrary to public policy and is void and unenforceable (R.C. 1349.19(H)).
Application of bill
The bill provides that the above provisions do not apply to any person or entity regulated by sections 1171 to 1179 of the Social Security Act (Health Insurance Portability and Accountability Act or HIPAA) and any corresponding regulations (R.C. 1349.19(F)(3)).
Definitions for purposes of disclosure or notification by any person or business
The bill defines the following terms for purposes of its provisions requiring any person or business to make the above described disclosure or notification  (R.C. 1349.19(A)):
"Business" means both of the following:
(1) A sole proprietorship, partnership, corporation, association, or other group, however organized and whether operating for profit or not for profit, including a financial institution organized, chartered, or holding a license authorizing operation under the laws of Ohio, any other state, the United States, or any other country, or the parent or subsidiary of a financial institution;
(2) An entity that destroys records.
"Records" means any material, regardless of the physical form, on which information is recorded or preserved by any means, including in written or spoken words, graphically depicted, printed, or electromagnetically transmitted.  "Records" does not include publicly available directories containing information an individual voluntarily has consented to have publicly disseminated or listed, such as name, address, or telephone number.
"Personal information" and "Consumer reporting agency that compiles and maintains files on consumers on a nationwide basis" are defined in the same manner as the definition of those terms in "Definitions for purposes of disclosure or notification by state agency," above.
"Breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business and that causes or reasonably is believed to cause injury or loss to the person or property of a resident of this state.  Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.  Acquisition of personal information pursuant to a search warrant, subpoena, or other court order is not a breach of the security of the system.
"Maintains" means a person's or business's ownership of, control over, responsibility for, or accountability for systems and includes, but is not limited to, a person's or business's depositing of information with a data processing center for storage, processing, or dissemination.  A person or business "maintains" all systems of records that are required by law to be kept by the person or business.
"System" means any collection or group of related records that are kept in an organized manner, that are maintained by a state or business, and from which personal information is retrieved by the name of the person or by some identifying number, symbol, or other identifier assigned to the person.  "System" includes both records that are manually stored and records that are stored using electronic data processing equipment. "System" does not include published directories, reference materials or newsletters, or routine information that is maintained for the purpose of internal office administration of the person or business and the use of which would not adversely affect a person.
Investigation and enforcement by Attorney General
Investigation
The bill authorizes the Attorney General (AG) to conduct an investigation if the AG, based on complaints or the AG's own inquiries, has reason to believe that a state agency or a person or business has failed or is failing to comply with the respective requirements of the bill.  In any such investigation, the AG may administer oaths, subpoena witnesses, adduce evidence, and subpoena the production of any book, document, record, or other relevant matter.  If the AG subpoenas the production of any relevant matter that is located outside Ohio, the AG may designate a representative, including an official of the state in which that matter is located, to inspect the matter on the AG's behalf.  The AG may carry out similar requests received from officials of other states.  Any person who is subpoenaed to produce relevant matter must make that matter available at a convenient location in Ohio or the state of the representative designated as described above.  (R.C. 1349.191(B), (C), and (D), 1347.12(H), and 1349.19(I).)
Court procedure upon subpoena
Any person who is subpoenaed as a witness or to produce relevant matter may file in the Court of Common Pleas of Franklin County, the county in Ohio in which the person resides, or the county in Ohio in which the person's principal place of business is located a petition to extend for good cause shown the date on which the subpoena is to be returned or to modify or quash for good cause shown that subpoena.  The person may file the petition at any time prior to the date specified for the return of the subpoena or within 20 days after the service of the subpoena, whichever is earlier.  Any person who is subpoenaed as a witness or to produce relevant matter must comply with the terms of the subpoena unless the court orders otherwise prior to the date specified for the return of the subpoena or, if applicable, that date as extended.  If a person fails without lawful excuse to obey a subpoena, the AG may apply to the court of common pleas for an order that does one or more of the following:  (1) compels the requested discovery, (2) adjudges the person in contempt of court, (3) grants injunctive relief to restrain the person from failing to comply with the applicable requirements, (4) grants injunctive relief to preserve or restore the status quo, or (5) grants other relief that may be required until the person obeys the subpoena.  The court must impose a civil penalty of any person who violates a court order issued as described above.  The civil penalty is for not more than $1,000 for each day the person is violating the court order.  (R.C. 1349.191(E), (F), and (G) and 1349.192(A).)
Civil action
The bill authorizes the AG to bring a civil action in a court of common pleas for appropriate relief, including a temporary restraining order, preliminary or permanent injunction, and civil penalties, if it appears that a state agency or a person or business has failed or is failing to comply with the respective requirements of the bill.  Upon its findings of such a failure to comply, the court must impose a civil penalty of not more than $1,000 per day for each day the state agency or the person or business fails to comply with the applicable requirements.  Any civil penalty that is assessed under this provision must be deposited into the Consumer Protection Enforcement Fund to be used for the sole purpose of paying expenses incurred by the Consumer Protection Section of the AG's Office.  (R.C. 1349.192(A), 1347.12(H), 1349.19(I), and 1345.51.)
Any state agency or any person or business that is found by the court to have failed to comply with the applicable requirements in the bill is liable to the AG for the costs in conducting an investigation and bringing an action under the bill (R.C. 1349.192(B)).
The above rights and remedies are in addition to any other rights and remedies that are provided by law (R.C. 1349.192(C)).
Statewide concern--preemption
The bill states that it deals with a subject matter of statewide concern.  It also states that it is the intent of the General Assembly that the bill supersede and preempt all rules, regulations, resolutions, codes, and ordinances of all counties, municipal corporations, townships, and agencies of counties, municipal corporations, and townships that pertain to matters that are expressly set forth or regulated under the bill.  (Section 3.)
COMMENT

Existing 15 U.S.C. 7001 provides as follows:

HISTORY

ACTIONDATEJOURNAL ENTRY
    Introduced
03-01-05p.         240
    Reported, H. Civil &
    Commercial Law

06-23-05

p.         1423




h0104-rh-revised-126.doc/kl




[1]   The definitions of "maintains" and "system" in R.C. 1347.01(D) refer to a state or local agency.  For purposes of the bill, these existing definitions apply only with respect to a state agency that maintains a system.