Bill Title: To require governmental agencies and persons that own or license computerized data containing personal information to report security breaches to the Attorney General and to require the Attorney General to establish a searchable database of the reports that is accessible by the public.
Spectrum: Partisan Bill (Democrat 2-0)
Status: (Introduced - Dead) 2012-06-05 - To State Government & Elections
[HB565 Detail]Download: Ohio-2011-HB565-Introduced.html
As Introduced
129th General Assembly | Regular Session | 2011-2012 |
| |
Representatives Carney, Winburn
A BILL
| To amend sections 1347.12 and 1349.19 and to enact | 1 |
|
section 1349.193 of the Revised Code to require | 2 |
|
governmental agencies and persons that own or | 3 |
|
license computerized data containing personal | 4 |
|
information to report security breaches to the | 5 |
|
Attorney General and to require the Attorney | 6 |
|
General to establish a searchable database of the | 7 |
|
reports that is accessible by the public. | 8 |
BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF OHIO:
Section 1. That sections 1347.12 and 1349.19 be amended and | 9 |
section 1349.193 of the Revised Code be enacted to read as | 10 |
follows: | 11 |
Sec. 1347.12. (A) As used in this section: | 12 |
(1) "Agency of a political subdivision" means each organized | 13 |
body, office, or agency established by a political subdivision for | 14 |
the exercise of any function of the political subdivision, except | 15 |
that "agency of a political subdivision" does not include an | 16 |
agency that is a covered entity as defined in 45 C.F.R. 160.103, | 17 |
as amended. | 18 |
(2)(a) "Breach of the security of the system" means | 19 |
unauthorized access to and acquisition of computerized data that | 20 |
compromises the security or confidentiality of personal | 21 |
information owned or licensed by a state agency or an agency of a | 22 |
political subdivision and that causes, reasonably is believed to | 23 |
have caused, or reasonably is believed will cause a material risk | 24 |
of identity theft or other fraud to the person or property of a | 25 |
resident of this state. | 26 |
(b) For purposes of division (A)(2)(a) of this section: | 27 |
(i) Good faith acquisition of personal information by an | 28 |
employee or agent of the state agency or agency of the political | 29 |
subdivision for the purposes of the agency is not a breach of the | 30 |
security of the system, provided that the personal information is | 31 |
not used for an unlawful purpose or subject to further | 32 |
unauthorized disclosure. | 33 |
(ii) Acquisition of personal information pursuant to a search | 34 |
warrant, subpoena, or other court order, or pursuant to a | 35 |
subpoena, order, or duty of a regulatory state agency, is not a | 36 |
breach of the security of the system. | 37 |
(3) "Consumer reporting agency that compiles and maintains | 38 |
files on consumers on a nationwide basis" means a consumer | 39 |
reporting agency that regularly engages in the practice of | 40 |
assembling or evaluating, and maintaining, for the purpose of | 41 |
furnishing consumer reports to third parties bearing on a | 42 |
consumer's creditworthiness, credit standing, or credit capacity, | 43 |
each of the following regarding consumers residing nationwide: | 44 |
(a) Public record information; | 45 |
(b) Credit account information from persons who furnish that | 46 |
information regularly and in the ordinary course of business. | 47 |
(4) "Encryption" means the use of an algorithmic process to | 48 |
transform data into a form in which there is a low probability of | 49 |
assigning meaning without use of a confidential process or key. | 50 |
(5) "Individual" means a natural person. | 51 |
(6)(a) "Personal information" means, notwithstanding section | 52 |
1347.01 of the Revised Code, an individual's name, consisting of | 53 |
the individual's first name or first initial and last name, in | 54 |
combination with and linked to any one or more of the following | 55 |
data elements, when the data elements are not encrypted, redacted, | 56 |
or altered by any method or technology in such a manner that the | 57 |
data elements are unreadable: | 58 |
(i) Social security number; | 59 |
(ii) Driver's license number or state identification card | 60 |
number; | 61 |
(iii) Account number or credit or debit card number, in | 62 |
combination with and linked to any required security code, access | 63 |
code, or password that would permit access to an individual's | 64 |
financial account. | 65 |
(b) "Personal information" does not include publicly | 66 |
available information that is lawfully made available to the | 67 |
general public from federal, state, or local government records or | 68 |
any of the following media that are widely distributed: | 69 |
(i) Any news, editorial, or advertising statement published | 70 |
in any bona fide newspaper, journal, or magazine, or broadcast | 71 |
over radio or television; | 72 |
(ii) Any gathering or furnishing of information or news by | 73 |
any bona fide reporter, correspondent, or news bureau to news | 74 |
media described in division (A)(6)(b)(i) of this section; | 75 |
(iii) Any publication designed for and distributed to members | 76 |
of any bona fide association or charitable or fraternal nonprofit | 77 |
corporation; | 78 |
(iv) Any type of media similar in nature to any item, entity, | 79 |
or activity identified in division (A)(6)(b)(i), (ii), or (iii) of | 80 |
this section. | 81 |
(7) "Political subdivision" has the same meaning as in | 82 |
section 2744.01 of the Revised Code. | 83 |
(8) "Record" means any information that is stored in an | 84 |
electronic medium and is retrievable in perceivable form. "Record" | 85 |
does not include any publicly available directory containing | 86 |
information an individual voluntarily has consented to have | 87 |
publicly disseminated or listed, such as name, address, or | 88 |
telephone number. | 89 |
(9) "Redacted" means altered or truncated so that no more | 90 |
than the last four digits of a social security number, driver's | 91 |
license number, state identification card number, account number, | 92 |
or credit or debit card number is accessible as part of the data. | 93 |
(10) "State agency" has the same meaning as in section 1.60 | 94 |
of the Revised Code, except that "state agency" does not include | 95 |
an agency that is a covered entity as defined in 45 C.F.R. | 96 |
160.103, as amended. | 97 |
(11) "System" means, notwithstanding section 1347.01 of the | 98 |
Revised Code, any collection or group of related records that are | 99 |
kept in an organized manner, that are maintained by a state agency | 100 |
or an agency of a political subdivision, and from which personal | 101 |
information is retrieved by the name of the individual or by some | 102 |
identifying number, symbol, or other identifier assigned to the | 103 |
individual. "System" does not include any collected archival | 104 |
records in the custody of or administered under the authority of | 105 |
the Ohio historical society, any published directory, any | 106 |
reference material or newsletter, or any routine information that | 107 |
is maintained for the purpose of internal office administration of | 108 |
the agency, if the use of the directory, material, newsletter, or | 109 |
information would not adversely affect an individual and if there | 110 |
has been no unauthorized external breach of the directory, | 111 |
material, newsletter, or information. | 112 |
(B)(1) Any state agency or agency of a political subdivision | 113 |
that owns or licenses computerized data that includes personal | 114 |
information shall disclose any breach of the security of the | 115 |
system, following its discovery or notification of the breach of | 116 |
the security of the system, to any resident of this state whose | 117 |
personal information was, or reasonably is believed to have been, | 118 |
accessed and acquired by an unauthorized person if the access and | 119 |
acquisition by the unauthorized person causes or reasonably is | 120 |
believed will cause a material risk of identity theft or other | 121 |
fraud to the resident. The disclosure described in this division | 122 |
may be made pursuant to any provision of a contract entered into | 123 |
by the state agency or agency of a political subdivision with any | 124 |
person or another state agency or agency of a political | 125 |
subdivision prior to the date the breach of the security of the | 126 |
system occurred if that contract does not conflict with any | 127 |
provision of this section. For purposes of this section, a | 128 |
resident of this state is an individual whose principal mailing | 129 |
address as reflected in the records of the state agency or agency | 130 |
of a political subdivision is in this state. | 131 |
(2) The state agency or agency of a political subdivision | 132 |
shall make the disclosure described in division (B)(1) of this | 133 |
section in the most expedient time possible but not later than | 134 |
forty-five days following its discovery or notification of the | 135 |
breach in the security of the system, subject to the legitimate | 136 |
needs of law enforcement activities described in division (D) of | 137 |
this section and consistent with any measures necessary to | 138 |
determine the scope of the breach, including which residents' | 139 |
personal information was accessed and acquired, and to restore the | 140 |
reasonable integrity of the data system. | 141 |
(3) Any state agency or agency of a political subdivision | 142 |
that is required to disclose a breach of the security of the | 143 |
system under division (B) of this section shall, within the time | 144 |
allowed for disclosure of the breach, report the breach to the | 145 |
attorney general in writing or by electronic mail. The report | 146 |
shall include the date of the breach, the number of people | 147 |
affected by the breach, the method used to notify persons affected | 148 |
by the breach, and any other information the attorney general may | 149 |
require. | 150 |
(C) Any state agency or agency of a political subdivision | 151 |
that, on behalf of or at the direction of another state agency or | 152 |
agency of a political subdivision, is the custodian of or stores | 153 |
computerized data that includes personal information shall notify | 154 |
that other state agency or agency of a political subdivision of | 155 |
any breach of the security of the system in an expeditious manner, | 156 |
if the personal information was, or reasonably is believed to have | 157 |
been, accessed and acquired by an unauthorized person and if the | 158 |
access and acquisition by the unauthorized person causes or | 159 |
reasonably is believed will cause a material risk of identity | 160 |
theft or other fraud to a resident of this state. | 161 |
(D) The state agency or agency of a political subdivision may | 162 |
delay the disclosure or notification required by division (B), | 163 |
(C), or (F) of this section if a law enforcement agency determines | 164 |
that the disclosure or notification will impede a criminal | 165 |
investigation or jeopardize homeland or national security, in | 166 |
which case, the state agency or agency of a political subdivision | 167 |
shall make the disclosure or notification after the law | 168 |
enforcement agency determines that disclosure or notification will | 169 |
not compromise the investigation or jeopardize homeland or | 170 |
national security. | 171 |
(E) For purposes of this section, a state agency or agency of | 172 |
a political subdivision may disclose or make a notification by any | 173 |
of the following methods: | 174 |
(2) Electronic notice, if the state agency's or agency of a | 176 |
political subdivision's primary method of communication with the | 177 |
resident to whom the disclosure must be made is by electronic | 178 |
means; | 179 |
(4) Substitute notice in accordance with this division, if | 181 |
the state agency or agency of a political subdivision required to | 182 |
disclose demonstrates that the agency does not have sufficient | 183 |
contact information to provide notice in a manner described in | 184 |
division (E)(1), (2), or (3) of this section, or that the cost of | 185 |
providing disclosure or notice to residents to whom disclosure or | 186 |
notification is required would exceed two hundred fifty thousand | 187 |
dollars, or that the affected class of subject residents to whom | 188 |
disclosure or notification is required exceeds five hundred | 189 |
thousand persons. Substitute notice under this division shall | 190 |
consist of all of the following: | 191 |
(a) Electronic mail notice if the state agency or agency of a | 192 |
political subdivision has an electronic mail address for the | 193 |
resident to whom the disclosure must be made; | 194 |
(b) Conspicuous posting of the disclosure or notice on the | 195 |
state agency's or agency of a political subdivision's web site, if | 196 |
the agency maintains one; | 197 |
(c) Notification to major media outlets, to the extent that | 198 |
the cumulative total of the readership, viewing audience, or | 199 |
listening audience of all of the outlets so notified equals or | 200 |
exceeds seventy-five per cent of the population of this state. | 201 |
(5) Substitute notice in accordance with this division, if | 202 |
the state agency or agency of a political subdivision required to | 203 |
disclose demonstrates that the agency has ten employees or fewer | 204 |
and that the cost of providing the disclosures or notices to | 205 |
residents to whom disclosure or notification is required will | 206 |
exceed ten thousand dollars. Substitute notice under this division | 207 |
shall consist of all of the following: | 208 |
(a) Notification by a paid advertisement in a local newspaper | 209 |
that is distributed in the geographic area in which the state | 210 |
agency or agency of a political subdivision is located, which | 211 |
advertisement shall be of sufficient size that it covers at least | 212 |
one-quarter of a page in the newspaper and shall be published in | 213 |
the newspaper at least once a week for three consecutive weeks; | 214 |
(b) Conspicuous posting of the disclosure or notice on the | 215 |
state agency's or agency of a political subdivision's web site, if | 216 |
the agency maintains one; | 217 |
(c) Notification to major media outlets in the geographic | 218 |
area in which the state agency or agency of a political | 219 |
subdivision is located. | 220 |
(F) If a state agency or agency of a political subdivision | 221 |
discovers circumstances that require disclosure under this section | 222 |
to more than one thousand residents of this state involved in a | 223 |
single occurrence of a breach of the security of the system, the | 224 |
state agency or agency of a political subdivision shall notify, | 225 |
without unreasonable delay, all consumer reporting agencies that | 226 |
compile and maintain files on consumers on a nationwide basis of | 227 |
the timing, distribution, and content of the disclosure given by | 228 |
the state agency or agency of a political subdivision to the | 229 |
residents of this state. In no case shall a state agency or agency | 230 |
of a political subdivision that is required to make a notification | 231 |
required by this division delay any disclosure or notification | 232 |
required by division (B) or (C) of this section in order to make | 233 |
the notification required by this division. | 234 |
(G) The attorney general, pursuant to sections 1349.191 and | 235 |
1349.192 of the Revised Code, may conduct an investigation and | 236 |
bring a civil action upon an alleged failure by a state agency or | 237 |
agency of a political subdivision to comply with the requirements | 238 |
of this section. | 239 |
Sec. 1349.19. (A) As used in this section: | 240 |
(1)(a) "Breach of the security of the system" means | 241 |
unauthorized access to and acquisition of computerized data that | 242 |
compromises the security or confidentiality of personal | 243 |
information owned or licensed by a person and that causes, | 244 |
reasonably is believed to have caused, or reasonably is believed | 245 |
will cause a material risk of identity theft or other fraud to the | 246 |
person or property of a resident of this state. | 247 |
(b) For purposes of division (A)(1)(a) of this section: | 248 |
(i) Good faith acquisition of personal information by an | 249 |
employee or agent of the person for the purposes of the person is | 250 |
not a breach of the security of the system, provided that the | 251 |
personal information is not used for an unlawful purpose or | 252 |
subject to further unauthorized disclosure. | 253 |
(ii) Acquisition of personal information pursuant to a search | 254 |
warrant, subpoena, or other court order, or pursuant to a | 255 |
subpoena, order, or duty of a regulatory state agency, is not a | 256 |
breach of the security of the system. | 257 |
(2) "Business entity" means a sole proprietorship, | 258 |
partnership, corporation, association, or other group, however | 259 |
organized and whether operating for profit or not for profit, | 260 |
including a financial institution organized, chartered, or holding | 261 |
a license authorizing operation under the laws of this state, any | 262 |
other state, the United States, or any other country, or the | 263 |
parent or subsidiary of a financial institution. | 264 |
(3) "Consumer reporting agency that compiles and maintains | 265 |
files on consumers on a nationwide basis" means a consumer | 266 |
reporting agency that regularly engages in the practice of | 267 |
assembling or evaluating, and maintaining, for the purpose of | 268 |
furnishing consumer reports to third parties bearing on a | 269 |
consumer's creditworthiness, credit standing, or credit capacity, | 270 |
each of the following regarding consumers residing nationwide: | 271 |
(a) Public record information; | 272 |
(b) Credit account information from persons who furnish that | 273 |
information regularly and in the ordinary course of business. | 274 |
(4) "Encryption" means the use of an algorithmic process to | 275 |
transform data into a form in which there is a low probability of | 276 |
assigning meaning without use of a confidential process or key. | 277 |
(5) "Individual" means a natural person. | 278 |
(6) "Person" has the same meaning as in section 1.59 of the | 279 |
Revised Code, except that "person" includes a business entity only | 280 |
if the business entity conducts business in this state. | 281 |
(7)(a) "Personal information" means an individual's name, | 282 |
consisting of the individual's first name or first initial and | 283 |
last name, in combination with and linked to any one or more of | 284 |
the following data elements, when the data elements are not | 285 |
encrypted, redacted, or altered by any method or technology in | 286 |
such a manner that the data elements are unreadable: | 287 |
(i) Social security number; | 288 |
(ii) Driver's license number or state identification card | 289 |
number; | 290 |
(iii) Account number or credit or debit card number, in | 291 |
combination with and linked to any required security code, access | 292 |
code, or password that would permit access to an individual's | 293 |
financial account. | 294 |
(b) "Personal information" does not include publicly | 295 |
available information that is lawfully made available to the | 296 |
general public from federal, state, or local government records or | 297 |
any of the following media that are widely distributed: | 298 |
(i) Any news, editorial, or advertising statement published | 299 |
in any bona fide newspaper, journal, or magazine, or broadcast | 300 |
over radio or television; | 301 |
(ii) Any gathering or furnishing of information or news by | 302 |
any bona fide reporter, correspondent, or news bureau to news | 303 |
media described in division (A)(7)(b)(i) of this section; | 304 |
(iii) Any publication designed for and distributed to members | 305 |
of any bona fide association or charitable or fraternal nonprofit | 306 |
corporation; | 307 |
(iv) Any type of media similar in nature to any item, entity, | 308 |
or activity identified in division (A)(7)(b)(i), (ii), or (iii) of | 309 |
this section. | 310 |
(8) "Record" means any information that is stored in an | 311 |
electronic medium and is retrievable in perceivable form. "Record" | 312 |
does not include any publicly available directory containing | 313 |
information an individual voluntarily has consented to have | 314 |
publicly disseminated or listed, such as name, address, or | 315 |
telephone number. | 316 |
(9) "Redacted" means altered or truncated so that no more | 317 |
than the last four digits of a social security number, driver's | 318 |
license number, state identification card number, account number, | 319 |
or credit or debit card number is accessible as part of the data. | 320 |
(10) "System" means any collection or group of related | 321 |
records that are kept in an organized manner, that are maintained | 322 |
by a person, and from which personal information is retrieved by | 323 |
the name of the individual or by some identifying number, symbol, | 324 |
or other identifier assigned to the individual. "System" does not | 325 |
include any published directory, any reference material or | 326 |
newsletter, or any routine information that is maintained for the | 327 |
purpose of internal office administration of the person, if the | 328 |
use of the directory, material, newsletter, or information would | 329 |
not adversely affect an individual, and there has been no | 330 |
unauthorized external breach of the directory, material, | 331 |
newsletter, or information. | 332 |
(B)(1) Any person that owns or licenses computerized data | 333 |
that includes personal information shall disclose any breach of | 334 |
the security of the system, following its discovery or | 335 |
notification of the breach of the security of the system, to any | 336 |
resident of this state whose personal information was, or | 337 |
reasonably is believed to have been, accessed and acquired by an | 338 |
unauthorized person if the access and acquisition by the | 339 |
unauthorized person causes or reasonably is believed will cause a | 340 |
material risk of identity theft or other fraud to the resident. | 341 |
The disclosure described in this division may be made pursuant to | 342 |
any provision of a contract entered into by the person with | 343 |
another person prior to the date the breach of the security of the | 344 |
system occurred if that contract does not conflict with any | 345 |
provision of this section and does not waive any provision of this | 346 |
section. For purposes of this section, a resident of this state is | 347 |
an individual whose principal mailing address as reflected in the | 348 |
records of the person is in this state. | 349 |
(2) The person shall make the disclosure described in | 350 |
division (B)(1) of this section in the most expedient time | 351 |
possible but not later than forty-five days following its | 352 |
discovery or notification of the breach in the security of the | 353 |
system, subject to the legitimate needs of law enforcement | 354 |
activities described in division (D) of this section and | 355 |
consistent with any measures necessary to determine the scope of | 356 |
the breach, including which residents' personal information was | 357 |
accessed and acquired, and to restore the reasonable integrity of | 358 |
the data system. | 359 |
(3) Any person that is required to disclose a breach of the | 360 |
security of the system under division (B) of this section shall, | 361 |
within the time allowed for disclosure of the breach, report the | 362 |
breach to the attorney general in writing or by electronic mail. | 363 |
The report shall include the date of the breach, the number of | 364 |
people affected by the breach, the method used to notify persons | 365 |
affected by the breach, and any other information the attorney | 366 |
general may require. | 367 |
(C) Any person that, on behalf of or at the direction of | 368 |
another person or on behalf of or at the direction of any | 369 |
governmental entity, is the custodian of or stores computerized | 370 |
data that includes personal information shall notify that other | 371 |
person or governmental entity of any breach of the security of the | 372 |
system in an expeditious manner, if the personal information was, | 373 |
or reasonably is believed to have been, accessed and acquired by | 374 |
an unauthorized person and if the access and acquisition by the | 375 |
unauthorized person causes or reasonably is believed will cause a | 376 |
material risk of identity theft or other fraud to a resident of | 377 |
this state. | 378 |
(D) The person may delay the disclosure or notification | 379 |
required by division (B), (C), or (G) of this section if a law | 380 |
enforcement agency determines that the disclosure or notification | 381 |
will impede a criminal investigation or jeopardize homeland or | 382 |
national security, in which case, the person shall make the | 383 |
disclosure or notification after the law enforcement agency | 384 |
determines that disclosure or notification will not compromise the | 385 |
investigation or jeopardize homeland or national security. | 386 |
(E) For purposes of this section, a person may disclose or | 387 |
make a notification by any of the following methods: | 388 |
(2) Electronic notice, if the person's primary method of | 390 |
communication with the resident to whom the disclosure must be | 391 |
made is by electronic means; | 392 |
(4) Substitute notice in accordance with this division, if | 394 |
the person required to disclose demonstrates that the person does | 395 |
not have sufficient contact information to provide notice in a | 396 |
manner described in division (E)(1), (2), or (3) of this section, | 397 |
or that the cost of providing disclosure or notice to residents to | 398 |
whom disclosure or notification is required would exceed two | 399 |
hundred fifty thousand dollars, or that the affected class of | 400 |
subject residents to whom disclosure or notification is required | 401 |
exceeds five hundred thousand persons. Substitute notice under | 402 |
this division shall consist of all of the following: | 403 |
(a) Electronic mail notice if the person has an electronic | 404 |
mail address for the resident to whom the disclosure must be made; | 405 |
(b) Conspicuous posting of the disclosure or notice on the | 406 |
person's web site, if the person maintains one; | 407 |
(c) Notification to major media outlets, to the extent that | 408 |
the cumulative total of the readership, viewing audience, or | 409 |
listening audience of all of the outlets so notified equals or | 410 |
exceeds seventy-five per cent of the population of this state. | 411 |
(5) Substitute notice in accordance with this division, if | 412 |
the person required to disclose demonstrates that the person is a | 413 |
business entity with ten employees or fewer and that the cost of | 414 |
providing the disclosures or notices to residents to whom | 415 |
disclosure or notification is required will exceed ten thousand | 416 |
dollars. Substitute notice under this division shall consist of | 417 |
all of the following: | 418 |
(a) Notification by a paid advertisement in a local newspaper | 419 |
that is distributed in the geographic area in which the business | 420 |
entity is located, which advertisement shall be of sufficient size | 421 |
that it covers at least one-quarter of a page in the newspaper and | 422 |
shall be published in the newspaper at least once a week for three | 423 |
consecutive weeks; | 424 |
(b) Conspicuous posting of the disclosure or notice on the | 425 |
business entity's web site, if the entity maintains one; | 426 |
(c) Notification to major media outlets in the geographic | 427 |
area in which the business entity is located. | 428 |
(F)(1) A financial institution, trust company, or credit | 429 |
union or any affiliate of a financial institution, trust company, | 430 |
or credit union that is required by federal law, including, but | 431 |
not limited to, any federal statute, regulation, regulatory | 432 |
guidance, or other regulatory action, to notify its customers of | 433 |
an information security breach with respect to information about | 434 |
those customers and that is subject to examination by its | 435 |
functional government regulatory agency for compliance with the | 436 |
applicable federal law, is exempt from the requirements of this | 437 |
section. | 438 |
(2) This section does not apply to any person or entity that | 439 |
is a covered entity as defined in 45 C.F.R. 160.103, as amended. | 440 |
(G) If a person discovers circumstances that require | 441 |
disclosure under this section to more than one thousand residents | 442 |
of this state involved in a single occurrence of a breach of the | 443 |
security of the system, the person shall notify, without | 444 |
unreasonable delay, all consumer reporting agencies that compile | 445 |
and maintain files on consumers on a nationwide basis of the | 446 |
timing, distribution, and content of the disclosure given by the | 447 |
person to the residents of this state. In no case shall a person | 448 |
that is required to make a notification required by this division | 449 |
delay any disclosure or notification required by division (B) or | 450 |
(C) of this section in order to make the notification required by | 451 |
this division. | 452 |
(H) Any waiver of this section is contrary to public policy | 453 |
and is void and unenforceable. | 454 |
(I) The attorney general may conduct pursuant to sections | 455 |
1349.191 and 1349.192 of the Revised Code an investigation and | 456 |
bring a civil action upon an alleged failure by a person to comply | 457 |
with the requirements of this section. | 458 |
Sec. 1349.193. The attorney general shall establish and | 459 |
maintain a searchable database, accessible to the public, of all | 460 |
breaches of the security of their systems reported to the attorney | 461 |
general by state agencies or agencies of political subdivisions | 462 |
pursuant to section 1347.12 of the Revised Code or by persons | 463 |
pursuant to section 1349.19 of the Revised Code. The database | 464 |
shall include for each breach the date of the breach, the number | 465 |
of people affected by the breach, the method used to notify | 466 |
persons affected by the breach, and any other information the | 467 |
attorney general considers necessary for the protection of the | 468 |
public. | 469 |
Section 2. That existing sections 1347.12 and 1349.19 of the | 470 |
Revised Code are hereby repealed. | 471 |