INDIANAPOLIS (Nov. 22, 2005)—Continuing a national public policy trend, Ohio Gov. Bob Taft has signed into law a bill requiring notification of security breaches, the National Association of Mutual Insurance Companies (NAMIC) has reported.
“Gov. Taft’s action last Thursday makes Ohio the 21st state to enact legislation requiring notification of security breaches,” according to Joe Thesing , NAMIC north central region state affairs manager.
NAMIC’s “Security Breach Notification Laws: What Threats Do They Pose for Insurers?” describes the enacted laws through June of this year.
The Ohio law requires state agencies, businesses and individuals who maintain computerized data of personal information to disclose to consumers that an unauthorized person has obtained their information, within 45 days, subject to any ongoing law enforcement investigation. The bill becomes effective in 90 days.
“Troublesome language granting the attorney general far-reaching authority to pursue potential violations in place of federal officials was left out of the enacted bill,” Thesing said. “However, the enactment does authorize the attorney general to conduct an investigation and bring civil action against a state government agency or agency of a political subdivision that fails to comply with the notification procedure.”
House Bill 104 provides that violations are subject to fines of up to $1,000 per day for the first 60 days, up to $5,000 for the next 30 days and up to $10,000 per day over 90 days. The bill states that judges must consider whether a company or governmental entity acted in bad faith in failing to comply with the notification requirements, in determining the penalty.
Thesing noted two other recent developments in this regard:
NAMIC’s primary concerns are the variances and inconsistencies among the data security laws enacted by the states that create inefficiencies for multi-state insurance carriers.
For further information, contact
Rick Nelson, APR
(317) 875-5250 Tel
(317) 879-8408 Fax