Quick Facts
Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Most expedient time possible but no longer than 45 days
Government Notification Required: No
Scope of this Summary:
Notification requirements applicable to individuals or commercial entities that conduct business in the state and own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification not required if the covered entity reasonably believes that the breach has not and will not cause a material risk of identity theft or other fraud to any Ohio resident.
Breach Defined
Unauthorized access and acquisition that compromises the security or confidentiality of the covered info, excluding certain good-faith acquisitions by employees or agents and acquisitions pursuant to a warrant, subpoena, or other court order.
Encryption Safe Harbor
Statute does not apply to information that is encrypted, redacted, or altered in a manner that renders it unreadable.
Form of Covered Info
Electronic Only
Covered Info
An individual's first name or first initial and last name, in combination with and linked to any one or more of the following data elements:
- Social Security number.
- Driver's license number or state identification card number.
- Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual's financial account.
Consumer Notice Timing
Must be made in the most expedient time possible but no later than 45 days following discovery of the breach, consistent with any measures necessary to determine the scope of the breach, including which residents were affected, and to restore the reasonable integrity of the system.
Consumer Notice Method
By written notice, telephone notice, or electronic notice if it is the covered entity's primary method of communication with resident. Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
The Ohio general breach notification statute does not set out specific content requirements for the notice to affected individuals.
Delayed Notice
Notification may be delayed if law enforcement determines that the notification will impede a criminal investigation or jeopardize homeland or national security.
Government Notice
The Ohio general breach notification statute does not require notice to any government or regulatory agencies.
Consumer Reporting Agency Notice
If more than 1,000 Ohio residents are notified, must notify, without unreasonable delay, all nationwide Consumer Reporting Agencies of timing, distribution, and content of the consumer notice. CRA notice may not delay any other required notifications.
Third-Party Notice
If you maintain covered info on behalf of another entity, you must notify it in an expeditious manner following determination of a breach if the breach causes or is reasonably believed will cause a material risk of identity theft or fraud to a resident.
Private Right of Action
The Ohio breach notification statutes do not provide for a private right of action.
Potential Penalties
Violations may result in civil penalties.
This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.
Last revised on June 15, 2023