Timing of Consumer Notification
“Most expedient time possible but not later than 45 days following discovery of breach.”
Method of Notice
Mail or phone. Email permitted if primary method of communication with resident.
Breach Definition
Unauthorized acquisition of computerized data that compromises security or confidentiality of personal information owned or licensed by person and that causes, reasonably is believed to have caused, or reasonably is believed will cause material risk of identity theft or other fraud to person or property of Ohio resident.
PII Definition
Individual’s first name or first initial and last name in combination with any of these if unencrypted, redacted, or altered by any other method rendering the data element unreadable:
  1. Social Security number;
  2. Driver's license or state identification card number; or
  3. Financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to account.
Third Party Notice
If person or business maintains covered information for someone else, it must notify them in expeditious manner following determination of breach.
How to Notify
No specific content requirement.
Substitute Notice

If no sufficient contact information or cost of providing notice would exceed $250,000 or affected class of residents exceeds 500,000, all: (a) email if person has email address for resident to whom disclosure must be made; (b) conspicuous posting of notice on website of person if person maintains one; and (c) notification to major statewide media so that audience exceeds 75% of state population.

If person required to provide notice is business with 10 or fewer employees and cost to provide notice would exceed $10,000, all: (a) advertisement in local newspaper covering at least 1/4 of page at least once a week for 3 consecutive weeks; (b) conspicuous posting of notice on website of person if person maintains one; and (c) notification to major statewide media.

Credit Monitoring
Not required.
When to Notify Credit Agencies
If more than 1,000 Ohio residents must be notified.
This State's Law
Businesses that create, maintain and comply with specific cybersecurity standards may qualify for safe harbor from breach litigation. If data security policies conform to one of several industry-recognized cybersecurity frameworks, business entity can invoke safe harbor as affirmative defense. Safe harbor only applies to tort claims that are based on Ohio law or brought in Ohio courts.
State Government Agency Notification Required