It’s the unfortunate reality that data breaches are becoming more and more common, even among small businesses. Because of this, it’s important that you know what the notification laws are in Ohio for insurance agencies in the event the unthinkable occurs.
Ohio Revised Code 1349.19 outlines the actions that must be taken by independent insurance agencies in the event of a data breach.
To begin, it’s important to understand some of the key definitions in Ohio law that come into play in the instance of a breach.
Breach of the security of the system – this means unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state.
Personal information – this means an individual's first name (or first initial) and last name, in combination with and linked to one or more of the following data elements (when the data elements are not encrypted, redacted, or altered in such a manner that the data elements are unreadable):
Social security number;
Driver's license number or state identification card number;
Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual's financial account.
In the event that you experience a security breach that meets the definitions above, notice must be provided to the victims (Ohio residents) upon discovery in the most expedient time possible, but not later than 45 days following its discovery.
The notification can be made in writing, electronically (if the primary method of communication with the victim to whom the disclosure must be made is by electronic means) or by phone.
Substitute notice options are available if sufficient contact information for victims does not exist, the cost of providing notification would exceed $250,000, or the affected class exceeds 500,000 people.
Finally, Ohio law requires you to notify consumer reporting agencies of a breach when a situation involves the notification of more than 1,000 residents at one time.
Additional ODI Requirements
In addition to the notifications required by law, the Ohio Department of Insurance (ODI) has specific notification requirements for insurance agents and agencies in Bulletin 2009-12.
The bulletin requires that any “loss of control” of personal information for more than 250 Ohio residents must be reported to ODI within 15 calendar days of discovery.
“Loss of control” is defined as the unauthorized access to, acquisition of, or disappearance of any personal information, including with respect to computerized data the unauthorized access to and/or acquisition of that computerized data that compromises the security or confidentiality of personal information.
Further, the bulletin defines “personal information” as an individual’s name, consisting of the individual’s first name (or first initial) and last name, in combination with:
a social security number, or
a driver’s license number or state identification number, or
a bank/credit/debit card or account number.
This is consistent with Ohio law with the exception that the breach must be reported even if the bank/credit/debit card or account number is NOT in combination with and linked to any information that would permit access to an individual's financial account.
Substitute Notice Options for Small Businesses
If you have a smaller agency, there is an important component of Ohio law that could provide relief. Businesses with 10 or fewer employees that demonstrate they would incur a cost of more than $10,000 to provide notification to residents impacted by the breach can utilize the following substitute notice options:
Notification by a paid advertisement in a local newspaper that is distributed in the geographic area in which the agency is located. The ad must be at least one-quarter of a page and must be published at least once a week for three consecutive weeks;
Conspicuous posting of the notice on agency’s website;
Notification to major media outlets in the geographic area where the agency is located.
Penalties for Non-Compliance
Possible penalties for failing to comply with Ohio’s law include civil penalties of up to $1,000 for each day of non-compliance, up to $5,000 per day after 60 days, and up to $10,000 per day after 90 days.
Exceptions to Ohio Law
Exceptions do exist to Ohio’s law regarding security breaches.
For instance, if the breach involves personal information that was encrypted or redacted, the notification law does not apply.
The notification requirement can also be impacted when a law enforcement agency determines that notice will impede an investigation.
In addition, a covered entity that is subject to HIPAA is deemed in compliance with the Ohio law.
Furthermore, financial institutions, trust companies, or credit unions and affiliates that are subject to federal notification laws and examination by its functional government regulatory agency, are exempt from Ohio’s notification laws.
What’s on the Horizon for Cybersecurity Requirements in Ohio
Last fall, the National Association of Insurance Commissioners (NAIC) adopted a model cyber law.
Most notably, this proposal would require insurance licensees with 10 or more employees — including insurance agencies and insurers — to establish an information security program that is commensurate with the size and complexity of the entity, the nature and scope of its activities, and the sensitivity of the guarded information.
The requirements are flexible and risk-based, and each individual licensee’s tailored security program would be required to respond to and mitigate the risks identified in periodic risk assessments the entity performs.
The model also requires businesses to exercise due diligence and reasonableness in selecting third-party vendors that receive access to a licensee’s sensitive information and requires those entities to implement appropriate measures to protect such data.
Fortunately, the model cyber law adopted by the NAIC does not include the broad scope or several troubling elements of the cybersecurity regulation promulgated by the New York State Department of Financial Services last year.
So, what does the adoption of a model cyber law by the NAIC mean for Ohio?
The answer is nothing at this point, as the adoption of this model cyber law does not actually have any impact in Ohio unless the Ohio Department of Insurance puts it in place through legislation in the Ohio General Assembly.
As of right now, it does not appear that ODI is looking to implement these requirements in Ohio, however, this is something that may be pursued in a future legislative session when a new Superintendent of Insurance takes over in 2019.
Optional Cyber Initiative
It is important to note that an optional cybersecurity initiative is receiving hearings in the Ohio Senate.
If passed, Senate Bill 220 would provide a legal safe harbor to covered entities (businesses that access, maintain, communicate or handle personal information) that implement one of several specified industry recognized data security frameworks.
Ultimately, SB 220 is intended to be an incentive to encourage businesses to achieve a higher level of cybersecurity through voluntary action.
At this point, it is not clear if this legislation will have time pass the Ohio General Assembly before the end of the legislative session.
OIA will keep members informed of any developments that occur on S.B. 220 or on any other cybersecurity legislation put forth in Ohio.
- Data Breach Notification Laws—Summary by State
Reprinted with the permission of the Mintz Levin law firm
- ORC 1349.19
- ODI Bulletin 2009-12
Additional Cyber Resources
Agency Cyber Guide 1.0: Tools for compliance and protection in today’s world of data breach and cybercrime (Agents Council for Technology, ACT)
NOTICE: The Ohio Insurance Agents Association, Inc. (OIA) provides this information with the express understanding that 1) no attorney-client relationship exists, 2) neither OIA nor its attorneys are engaged in providing legal advice and 3) that the information is of a general character. You should not rely on this information when dealing with personal or professional legal matters; rather, seek legal advice from retained legal counsel.