Most states have enacted legislation that provides specific notification requirements related to security breaches involving personal information. However, it is important to note that not every incident triggers notification requirements. If you determine that information has been compromised, you need to be prepared with an action plan to minimize damages and your exposure to legal actions.
The United States does not have a comprehensive federal breach notification system or set of requirements. In general, legal requirements flow from certain federal regulations and several varying state regulations. Due to this structure and the dynamic nature of information and the internet, your notification systems and processes need to be able to meet the requirements of state regulations that may be stricter than the state in which you are located, and should account for the requirements of certain states that conflict with other regulatory obligations. Whether you operate locally, regionally, nationally, or globally, your data breach plan and notification mechanisms need to be designed to enable you to comply with your varying legal and contractual obligations.
Understanding your organization’s legal and contractual obligations is the first step toward preparing actionable checklists and other tools that will provide your team meaningful guidance, in the event an incident occurs.
In Ohio, the law regulating the disclosure of a security breach of personal information is codified in Ohio Revised Code 1349.19.