You are here


Survey Answer:

Ohio law sets forth that, upon the discovery of a data breach exposing confidential personal information owned or licensed by an entity, notification should be sent to the mailing address as reflected in the records of any person whose personal information was or was reasonably believed to have been accessed and acquired through the breach in the most expedient time possible, but not later than 45 days following discovery of the breach.
In addition, if a breach occurs which exposes the personal information of more than 1000 residents of Ohio, the entity also has a responsibility to inform all consumer reporting agencies nationally.
Any entity which is maintaining or storing data which includes personal information on behalf of another entity has an obligation to notify the other entity of any breach which causes or can reasonably cause a material risk of identity theft or other fraud to an Ohio resident.
Notice itself may be given through multiple different means. Depending on the nature of the relationship, and the extent of the breach, the cost of notification, and the size of the entity which licensed or owned the personal information, notification may be written, telephonic, electronic, a notification to major media outlets, a conspicuous posting on the entity’s website, or a newspaper advertisement to be distributed in the geographic area in which the entity is located.

Provided By:
Fred Bellamy: Ryley Carlock & Applewhite