# Ohio Consumer Privacy Law[^about] Ohio has no comprehensive consumer-privacy statute. The operative framework is the 45-day breach-notification law (Ohio Rev. Code § 1349.19), enforced exclusively by the Attorney General, plus the Consumer Sales Practices Act, the chapter 1354 cybersecurity safe harbor, and the federal overlay. ## Which privacy laws apply to your business in Ohio? {#which-privacy-laws-apply} **Short answer.** There is no comprehensive Ohio consumer-privacy law — Ohio regulates data by sector. The one across-the-board state duty is breach notification: any person that owns or licenses computerized data including personal information of Ohio residents must disclose a qualifying breach [^q1-breach-duty]. Around that sit the Consumer Sales Practices Act, which bans unfair or deceptive acts in consumer transactions and is how the Attorney General reaches privacy misrepresentations [^q1-cspa-deception], and the Ohio Data Protection Act, which rewards — but does not require — a written cybersecurity program with an affirmative defense to data-breach tort claims [^q1-dpa-defense]. Because Ohio has never enacted an omnibus privacy statute, its residents have no general state-law rights to access, delete, correct, or port their personal data, no right to opt out of sale or targeted advertising, and no universal opt-out-signal mechanism; businesses face no state notice-at-collection, consent, or data-protection-assessment duties. The omnibus push has failed twice — HB 376 in the 134th General Assembly was reported by committee but died without a floor vote, and HB 345 in the 135th died after referral to committee — and no consumer-data omnibus is pending in the current General Assembly. One naming trap deserves a flag: the 2026 bill styled the *Ohio Privacy Act* (House Bill 801, introduced March 31, 2026 and referred to committee) is sometimes misread as a consumer omnibus, but as introduced it would restrict data collection and out-of-state data sharing by state government agencies only and would impose no duties on private businesses. What fills the gap is layered. The breach statute sets the statewide incident-response duty and is enforced exclusively by the Attorney General, a point developed in the enforcement prong below. The Consumer Sales Practices Act supplies the general deception hook for privacy promises. Chapter 1354 — the feature that most distinguishes Ohio — offers a voluntary litigation safe harbor for businesses that build a conforming written cybersecurity program, covered in its own question below. Insurance licensees carry an extra sectoral layer: chapter 3965 requires each licensee to develop, implement, and maintain a comprehensive written information security program based on its risk assessment [^q1-insurance-program]. Ohio also has a narrow payment-transaction rule that restricts recording credit-card account numbers when a check or draft is presented, and telephone or Social Security account numbers when payment is made by card, check, bill of exchange, or draft [^q1-payment-recording]; it is not a general privacy policy or data-use statute. And the federal overlay does the day-to-day work a state omnibus would otherwise do: FTC Act § 5 reaches deceptive or unfair data practices nationwide, GLBA governs financial institutions, HIPAA governs covered health entities, and COPPA governs services directed to children under 13. A program built to that overlay plus the breach statute upgrades, rather than restarts, if Ohio later enacts a comprehensive law. ## What must your Ohio privacy policy contain? {#privacy-policy-contents} **Short answer.** No Ohio statute requires a general consumer privacy policy or fixes what it must say. The governing rule is that whatever you publish has to be true: FTC Act § 5 declares unfair or deceptive acts or practices unlawful [^q2-ftc5], and the Consumer Sales Practices Act applies the same ban under state law, so a policy that misstates how you collect, use, share, retain, or secure data is a deceptive act a supplier may not commit [^q2-cspa-deception]. Where a federal sectoral regime applies, that regime supplies the contents — a HIPAA covered entity, for example, must give individuals adequate notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^q2-hipaa-notice]. The state and federal deception standards run together by design: Ohio courts construing the Consumer Sales Practices Act must give due consideration and great weight to FTC orders, rules, and federal-court interpretations of the FTC Act [^q2-cspa-ftc-construction], so FTC privacy-enforcement materials are especially persuasive in Ohio CSPA analysis. In practice the drafting question in Ohio is less *what must be included* and more *does the policy match actual practice*. Build the policy from the overlay that applies to you: the GLBA privacy-notice rules if you are a financial institution — which may not disclose nonpublic personal information to nonaffiliated third parties without first giving the consumer a compliant notice [^q2-glba-notice] — the HIPAA Notice of Privacy Practices if you are a covered entity, and a COPPA notice if your service is directed to children under 13. For everyone else, follow best practice: describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — then honor it, because in Ohio the enforceable obligation is consistency between the statement and the conduct, not any state-mandated checklist. ## What must your contracts with vendors say? {#vendor-contracts} **Short answer.** Ohio has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general commercial contracts. The breach statute touches vendors at one point: a custodian that stores computerized personal information on another person's behalf must notify that other person of a breach in an expeditious manner [^q3-custodian-notice]. Beyond that, vendor data terms come from the sectoral regimes that apply to your business. Where a federal or sectoral regime is in scope, it supplies the contracting obligations: the GLBA Safeguards Rule requires financial institutions to oversee service providers by requiring them by contract to implement and maintain appropriate safeguards [^q3-glba-safeguards], and HIPAA requires a written business-associate contract with mandatory data-protection, breach-reporting, and subcontractor terms before protected health information is shared [^q3-hipaa-baa]. Insurance licensees have a state-law analogue: chapter 3965 requires a licensee to make its third-party service providers implement appropriate administrative, technical, and physical measures to protect nonpublic information [^q3-insurance-vendor]. Outside those verticals, the prudent move is to carry the same protections forward as best practice — processing limited to documented instructions, confidentiality, reasonable security, prompt breach notification back to your business, and return or deletion of data at the end of the engagement — even though no Ohio statute compels them. Two Ohio-specific reasons to insist on the security and notification clauses anyway: the 45-day breach clock in the next prong starts running on *your* discovery or notification, so a slow vendor consumes your compliance window; and a vendor whose weak controls cause a breach can expose you to the tort claims that the chapter 1354 safe harbor — covered below — is designed to answer. ## When must you notify people of a data breach in Ohio? {#breach-notification} **Short answer.** Within forty-five days of discovering the breach. A reportable breach is unauthorized access to and acquisition of computerized data that compromises personal information and causes — or is reasonably believed to cause — a material risk of identity theft or other fraud to an Ohio resident [^q4-trigger]. Once the duty triggers, disclosure must be made in the most expedient time possible and no later than forty-five days after discovery or notification of the breach, subject to law-enforcement delay and to measures needed to determine the breach's scope and restore the system [^q4-timing]. Ohio's *personal information* definition is narrow by post-2019 standards: a resident's name combined with an unencrypted, unredacted Social Security number, driver's license or state ID number, or financial-account or card number with its access code [^q4-personal-info]. Biometric data, health data, and standalone login credentials are not on the list, and encryption or redaction takes data out of the definition entirely — so a properly encrypted breach generally triggers no Ohio notice duty. The risk-of-harm qualifier matters too: access without a material risk of identity theft or other fraud is not a reportable breach. Notice may be written, electronic (if that is your primary way of communicating with the resident), or by telephone [^q4-methods]. Substitute notice is available where contact information is insufficient, costs would exceed roughly a quarter-million dollars, or the affected class exceeds half a million people, and a separate lower-cost substitute track exists for businesses with ten or fewer employees [^q4-substitute-notice]. Two omissions stand out against most states' statutes: the section prescribes no mandatory content elements for the notice and imposes no duty to notify the Attorney General. It does require notifying the nationwide consumer reporting agencies when more than one thousand Ohio residents must be told of a single breach [^q4-cra], and any waiver of the section is void as against public policy. The exemptions are unusually broad. Federally regulated financial institutions that are subject to federal breach-notice obligations and examination are exempt from the section [^q4-exempt-fi], and the statute does not apply at all to HIPAA covered entities [^q4-exempt-hipaa] — those organizations answer to their federal regulators instead. Insurance licensees carry an additional, much faster state clock: a cybersecurity event meeting chapter 3965's criteria must be reported to the superintendent of insurance as promptly as possible and no later than three business days after the determination [^q4-insurance-event]; when that superintendent notice is required, the licensee must also comply with § 1349.19 as applicable and give the superintendent a copy of the consumer notice [^q4-insurance-consumer-notice]. ## Can a written cybersecurity program give you an affirmative defense in Ohio data-breach lawsuits? {#cybersecurity-safe-harbor} **Short answer.** Yes — this is Ohio's distinctive feature and the most actionable item in this note. Under the Ohio Data Protection Act (chapter 1354, the first state law of its kind), a covered entity that creates, maintains, and complies with a written cybersecurity program containing administrative, technical, and physical safeguards that reasonably conforms to an industry-recognized cybersecurity framework can seek the defense; for restricted-information breach claims, the program must protect both personal information and restricted information [^q5-dpa-optin]. A qualifying program gives an affirmative defense to tort claims alleging that a failure to implement reasonable security controls caused a data breach concerning personal information, or concerning personal or restricted information when the broader track is satisfied [^q5-dpa-defense]. The reach is broad: a *covered entity* is any business that accesses, maintains, communicates, or processes personal or restricted information through systems located in or outside Ohio [^q5-dpa-covered-entity] — no size threshold. The qualifying frameworks are enumerated: the NIST Cybersecurity Framework, NIST Special Publications 800-171 or 800-53/53a, FedRAMP, the CIS Critical Security Controls, or the ISO/IEC 27000 family [^q5-dpa-frameworks]; regulated entities may instead use the security requirements of HIPAA, GLBA, FISMA, or HITECH [^q5-dpa-regulated-frameworks], and PCI DSS qualifies only when paired with another listed framework [^q5-dpa-pci]. When those frameworks or standards are revised or amended, the program generally has one year to conform to the revision [^q5-dpa-revision]. The program does not have to be one-size-fits-all: its scale and scope are appropriate if based on the entity's size and complexity, the nature of its activities, the sensitivity of the information, the cost and availability of security tools, and the resources available [^q5-dpa-scale] — a sliding scale that puts the defense within reach of small businesses. Two design points keep the chapter's character clear. First, it is an incentive statute: it speaks of a covered entity *seeking* an affirmative defense rather than imposing a universal Ohio security program [^q5-dpa-optin]. Chapter 1354 is framed as an affirmative-defense statute, not an independent private cause of action; other Ohio, federal, or contract duties may still require security controls. Second, the chapter creates no right to sue: it cannot be construed to provide a private right of action, including a class action, for any practice it regulates [^q5-dpa-no-pra]. Counsel should also note the defense's limits. It answers causes of action *sounding in tort* brought under Ohio law or in Ohio courts [^q5-dpa-defense] — contract claims, statutory claims, and out-of-state actions are outside its text — and it is an affirmative defense, so the business bears the burden of proving conformity. No reported Ohio appellate decision applying the defense appears to have tested what *reasonably conforms* requires, so the practical move is to document conformity contemporaneously: a written program mapped clause-by-clause to the chosen framework, dated reviews, and proof the program was actually complied with, not just adopted. ## Can a consumer sue your business in Ohio over privacy? {#consumer-lawsuit} **Short answer.** Not under the breach statute. The Attorney General has exclusive authority to bring a civil action — including injunctions and civil penalties — for a failure to comply with the breach-notification law [^q6-ag-exclusive], so consumers cannot sue for a late or omitted breach notice. The Consumer Sales Practices Act is the partial exception: a consumer may bring an individual action to rescind the transaction or recover actual economic damages plus up to five thousand dollars in noneconomic damages [^q6-cspa-individual], but treble damages and any class action are available only where a prior Attorney General rule or a prior publicly available Ohio court decision had already declared the specific practice deceptive or unconscionable [^q6-cspa-gate]. The breach-statute enforcement machinery has real teeth despite the absence of consumer suits. The Attorney General may investigate on complaints or on the office's own inquiry, with oath, subpoena, and document powers [^q6-ag-investigation]. On a finding of intentional or reckless noncompliance, daily civil penalties escalate with time: up to one thousand dollars per day of noncompliance [^q6-penalty-base], rising to five thousand dollars per day after sixty days and ten thousand dollars per day from the ninety-first day on [^q6-penalty-escalator] — so a breach concealed for months compounds quickly, and violators are also liable for the Attorney General's investigation costs. On the Consumer Sales Practices Act side, the Attorney General may seek declaratory judgments and injunctions where an act or practice violates the chapter and action is in the public interest [^q6-ag-cspa]. Attorney General class relief is separately gated to specified § 1345.02 practices, prior Attorney General rules, or prior publicly available Ohio court decisions [^q6-ag-cspa-class]. For private plaintiffs, the § 1345.09(B) gate is the controlling reality for data claims: because no prior Ohio rule or published decision appears to have declared a specific data-privacy or data-security practice deceptive, novel privacy claims start in the individual-action tier — actual economic damages, capped noneconomic damages, no trebling, no class — until a first rule or decision exists. There is a scoping question beneath even that: the statute reaches only a *consumer transaction* — a transfer of goods, a service, or an intangible to an individual for primarily personal, family, or household purposes [^q6-consumer-transaction] — and whether a zero-price, ad-funded online service fits that definition has no settled Ohio appellate answer. Post-breach plaintiffs therefore typically plead common-law negligence — which is exactly the claim the chapter 1354 affirmative defense covered above is built to answer — making the written-cybersecurity-program decision the practical center of Ohio privacy risk management. [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org) · Maintained by [UseJunior](https://usejunior.com). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Ohio. This article synthesizes Ohio primary law and is not legal advice from a Ohio-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship. [^q1-breach-duty]: **Ohio Rev. Code § 1349.19** — "Any person that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system, following its discovery or notification of the breach of the security of the system, to any resident of this state whose personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to the resident." *Ohio Rev. Code § 1349.19(B)(1).* [^q1-cspa-deception]: **Ohio Rev. Code § 1345.02** — "No supplier shall commit an unfair or deceptive act or practice in connection with a consumer transaction. Such an unfair or deceptive act or practice by a supplier violates this section whether it occurs before, during, or after the transaction." *Ohio Rev. Code § 1345.02(A).* [^q1-dpa-defense]: **Ohio Rev. Code § 1354.02** — "A covered entity that satisfies divisions (A)(1), (B), and (C) of this section is entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information." *Ohio Rev. Code § 1354.02(D)(1).* [^q1-insurance-program]: **Ohio Rev. Code § 3965.02** — "Each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment." *Ohio Rev. Code § 3965.02(A).* [^q1-payment-recording]: **Ohio Rev. Code § 1349.17** — "(A) No person shall record or cause to be recorded either of the following ... (1) A credit card account number of the other party to a transaction, when a check, bill of exchange, or other draft is presented for payment ... (2) The telephone number or social security account number of the other party to a transaction, when payment is made by credit card charge agreement, check, bill of exchange, or other draft." *Ohio Rev. Code § 1349.17(A).* [^q2-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* [^q2-cspa-deception]: **Ohio Rev. Code § 1345.02** — "No supplier shall commit an unfair or deceptive act or practice in connection with a consumer transaction." *Ohio Rev. Code § 1345.02(A).* [^q2-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520(a)(1).* [^q2-cspa-ftc-construction]: **Ohio Rev. Code § 1345.02(C)** — "In construing division (A) of this section, the court shall give due consideration and great weight to federal trade commission orders, trade regulation rules and guides, and the federal courts' interpretations of subsection 45 (a)(1) of the ‘Federal Trade Commission Act,’ 38 Stat. 717 (1914), 15 U.S.C.A. 41, as amended." *Ohio Rev. Code § 1345.02(C).* [^q2-glba-notice]: **GLBA privacy notice** — "Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title." *15 U.S.C. § 6802(a).* [^q3-custodian-notice]: **Ohio Rev. Code § 1349.19(C)** — "Any person that, on behalf of or at the direction of another person or on behalf of or at the direction of any governmental entity, is the custodian of or stores computerized data that includes personal information shall notify that other person or governmental entity of any breach of the security of the system in an expeditious manner, if the personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person and if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to a resident of this state." *Ohio Rev. Code § 1349.19(C).* [^q3-glba-safeguards]: **GLBA Safeguards Rule** — "Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards." *16 C.F.R. § 314.4(f)(2).* [^q3-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;" *45 C.F.R. § 164.504(e)(2).* [^q3-insurance-vendor]: **Ohio Rev. Code § 3965.02(F)** — "A licensee shall require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider." *Ohio Rev. Code § 3965.02(F)(2).* [^q4-trigger]: **Ohio Rev. Code § 1349.19(A)(1)** — "‘Breach of the security of the system’ means unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state." *Ohio Rev. Code § 1349.19(A)(1)(a).* [^q4-timing]: **Ohio Rev. Code § 1349.19(B)(2)** — "The person shall make the disclosure described in division (B)(1) of this section in the most expedient time possible but not later than forty-five days following its discovery or notification of the breach in the security of the system, subject to the legitimate needs of law enforcement activities described in division (D) of this section and consistent with any measures necessary to determine the scope of the breach, including which residents' personal information was accessed and acquired, and to restore the reasonable integrity of the data system." *Ohio Rev. Code § 1349.19(B)(2).* [^q4-personal-info]: **Ohio Rev. Code § 1349.19(A)(7)** — "‘Personal information’ means an individual's name, consisting of the individual's first name or first initial and last name, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable:(i) Social security number;(ii) Driver's license number or state identification card number;(iii) Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual's financial account." *Ohio Rev. Code § 1349.19(A)(7)(a).* [^q4-methods]: **Ohio Rev. Code § 1349.19(E)** — "For purposes of this section, a person may disclose or make a notification by any of the following methods:(1) Written notice;(2) Electronic notice, if the person's primary method of communication with the resident to whom the disclosure must be made is by electronic means;(3) Telephone notice;" *Ohio Rev. Code § 1349.19(E).* [^q4-substitute-notice]: **Ohio Rev. Code § 1349.19(E)** — "(4) Substitute notice in accordance with this division, if the person required to disclose demonstrates that the person does not have sufficient contact information to provide notice in a manner described in division (E)(1), (2), or (3) of this section, or that the cost of providing disclosure or notice to residents to whom disclosure or notification is required would exceed two hundred fifty thousand dollars, or that the affected class of subject residents to whom disclosure or notification is required exceeds five hundred thousand persons. Substitute notice under this division shall consist of all of the following:(a) Electronic mail notice if the person has an electronic mail address for the resident to whom the disclosure must be made;(b) Conspicuous posting of the disclosure or notice on the person's web site, if the person maintains one;(c) Notification to major media outlets, to the extent that the cumulative total of the readership, viewing audience, or listening audience of all of the outlets so notified equals or exceeds seventy-five per cent of the population of this state.(5) Substitute notice in accordance with this division, if the person required to disclose demonstrates that the person is a business entity with ten employees or fewer and that the cost of providing the disclosures or notices to residents to whom disclosure or notification is required will exceed ten thousand dollars. Substitute notice under this division shall consist of all of the following:(a) Notification by a paid advertisement in a local newspaper that is distributed in the geographic area in which the business entity is located, which advertisement shall be of sufficient size that it covers at least one-quarter of a page in the newspaper and shall be published in the newspaper at least once a week for three consecutive weeks;(b) Conspicuous posting of the disclosure or notice on the business entity's web site, if the entity maintains one;(c) Notification to major media outlets in the geographic area in which the business entity is located." *Ohio Rev. Code § 1349.19(E)(4)-(5).* [^q4-cra]: **Ohio Rev. Code § 1349.19(G)** — "If a person discovers circumstances that require disclosure under this section to more than one thousand residents of this state involved in a single occurrence of a breach of the security of the system, the person shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the disclosure given by the person to the residents of this state." *Ohio Rev. Code § 1349.19(G).* [^q4-exempt-fi]: **Ohio Rev. Code § 1349.19(F)(1)** — "A financial institution, trust company, or credit union or any affiliate of a financial institution, trust company, or credit union that is required by federal law, including, but not limited to, any federal statute, regulation, regulatory guidance, or other regulatory action, to notify its customers of an information security breach with respect to information about those customers and that is subject to examination by its functional government regulatory agency for compliance with the applicable federal law, is exempt from the requirements of this section." *Ohio Rev. Code § 1349.19(F)(1).* [^q4-exempt-hipaa]: **Ohio Rev. Code § 1349.19(F)(2)** — "This section does not apply to any person or entity that is a covered entity as defined in 45 C.F.R. 160.103, as amended." *Ohio Rev. Code § 1349.19(F)(2).* [^q4-insurance-event]: **Ohio Rev. Code § 3965.04** — "Each licensee shall notify the superintendent of insurance as promptly as possible after a determination that a cybersecurity event involving nonpublic information in the possession of the licensee has occurred, but in no event later than three business days after that determination, when either of the following criteria has been met:" *Ohio Rev. Code § 3965.04(A).* [^q4-insurance-consumer-notice]: **Ohio Rev. Code § 3965.04** — "A licensee shall comply with section 1349.19 of the Revised Code as applicable and provide a copy of the notice sent to consumers under that section to the superintendent, when the licensee is required to notify the superintendent under division (A) of this section." *Ohio Rev. Code § 3965.04(C).* [^q5-dpa-optin]: **Ohio Rev. Code § 1354.02(A)** — "A covered entity seeking an affirmative defense under sections 1354.01 to 1354.05 of the Revised Code shall do one of the following: (1) Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework, as described in section 1354.03 of the Revised Code; or (2) Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of both personal information and restricted information and that reasonably conforms to an industry recognized cybersecurity framework, as described in section 1354.03 of the Revised Code." *Ohio Rev. Code § 1354.02(A).* [^q5-dpa-defense]: **Ohio Rev. Code § 1354.02(D)** — "A covered entity that satisfies divisions (A)(1), (B), and (C) of this section is entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information. (2) A covered entity that satisfies divisions (A)(2), (B), and (C) of this section is entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information or restricted information." *Ohio Rev. Code § 1354.02(D)(1)-(2).* [^q5-dpa-covered-entity]: **Ohio Rev. Code § 1354.01** — "‘Covered entity’ means a business that accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside this state." *Ohio Rev. Code § 1354.01(B).* [^q5-dpa-frameworks]: **Ohio Rev. Code § 1354.03** — "The cybersecurity program reasonably conforms to the current version of any of the following or any combination of the following, subject to divisions (A)(2) and (D) of this section:(a) The ‘framework for improving critical infrastructure cybersecurity’ developed by the ‘national institute of standards and technology’ (NIST);(b) ‘NIST special publication 800-171’;(c) ‘NIST special publications 800-53 and 800-53a’;(d) The ‘federal risk and authorization management program (FedRAMP) security assessment framework’;(e) The ‘center for internet security critical security controls for effective cyber defense’;(f) The ‘international organization for standardization/international electrotechnical commission 27000 family - information security management systems.’" *Ohio Rev. Code § 1354.03(A)(1).* [^q5-dpa-regulated-frameworks]: **Ohio Rev. Code § 1354.03(B)** — "The covered entity is regulated by the state, by the federal government, or both, or is otherwise subject to the requirements of any of the laws or regulations listed below, and the cybersecurity program reasonably conforms to the entirety of the current version of any of the following, subject to division (B)(2) of this section:(a) The security requirements of the ‘Health Insurance Portability and Accountability Act of 1996,’ as set forth in 45 CFR Part 164 Subpart C;(b) Title V of the ‘Gramm-Leach-Bliley Act of 1999,’ Public Law 106-102, as amended;(c) The ‘Federal Information Security Modernization Act of 2014,’ Public Law 113-283;(d) The ‘Health Information Technology for Economic and Clinical Health Act,’ as set forth in 45 CFR part 162." *Ohio Rev. Code § 1354.03(B)(1).* [^q5-dpa-pci]: **Ohio Rev. Code § 1354.03(C)** — "The cybersecurity program reasonably complies with both the current version of the ‘payment card industry (PCI) data security standard’ and conforms to the current version of another applicable industry recognized cybersecurity framework listed in division (A) of this section, subject to divisions (C)(2) and (D) of this section." *Ohio Rev. Code § 1354.03(C)(1).* [^q5-dpa-revision]: **Ohio Rev. Code § 1354.03** — "When a final revision to a framework listed in division (A)(1) of this section is published, a covered entity whose cybersecurity program reasonably conforms to that framework shall reasonably conform to the revised framework not later than one year after the publication date stated in the revision.(B)(1) The covered entity is regulated by the state, by the federal government, or both, or is otherwise subject to the requirements of any of the laws or regulations listed below, and the cybersecurity program reasonably conforms to the entirety of the current version of any of the following, subject to division (B)(2) of this section:(a) The security requirements of the ‘Health Insurance Portability and Accountability Act of 1996,’ as set forth in 45 CFR Part 164 Subpart C;(b) Title V of the ‘Gramm-Leach-Bliley Act of 1999,’ Public Law 106-102, as amended;(c) The ‘Federal Information Security Modernization Act of 2014,’ Public Law 113-283;(d) The ‘Health Information Technology for Economic and Clinical Health Act,’ as set forth in 45 CFR part 162.(2) When a framework listed in division (B)(1) of this section is amended, a covered entity whose cybersecurity program reasonably conforms to that framework shall reasonably conform to the amended framework not later than one year after the effective date of the amended framework.(C)(1) The cybersecurity program reasonably complies with both the current version of the ‘payment card industry (PCI) data security standard’ and conforms to the current version of another applicable industry recognized cybersecurity framework listed in division (A) of this section, subject to divisions (C)(2) and (D) of this section.(2) When a final revision to the ‘PCI data security standard’ is published, a covered entity whose cybersecurity program reasonably complies with that standard shall reasonably comply with the revised standard not later than one year after the publication date stated in the revision.(D) If a covered entity's cybersecurity program reasonably conforms to a combination of industry recognized cybersecurity frameworks, or complies with a standard, as in the case of the payment card industry (PCI) data security standard, as described in division (A) or (C) of this section, and two or more of those frameworks are revised, the covered entity whose cybersecurity program reasonably conforms to or complies with, as applicable, those frameworks shall reasonably conform to or comply with, as applicable, all of the revised frameworks not later than one year after the latest publication date stated in the revisions." *Ohio Rev. Code § 1354.03(A)(2), (B)(2), (C)(2), (D).* [^q5-dpa-scale]: **Ohio Rev. Code § 1354.02(C)** — "The scale and scope of a covered entity's cybersecurity program under division (A) (1) or (2) of this section, as applicable, is appropriate if it is based on all of the following factors: (1) The size and complexity of the covered entity; (2) The nature and scope of the activities of the covered entity; (3) The sensitivity of the information to be protected; (4) The cost and availability of tools to improve information security and reduce vulnerabilities; (5) The resources available to the covered entity." *Ohio Rev. Code § 1354.02(C).* [^q5-dpa-no-pra]: **Ohio Rev. Code § 1354.04** — "Sections 1354.01 to 1354.05 of the Revised Code shall not be construed to provide a private right of action, including a class action, with respect to any act or practice regulated under those sections." *Ohio Rev. Code § 1354.04.* [^q6-ag-exclusive]: **Ohio Rev. Code § 1349.192** — "The attorney general shall have the exclusive authority to bring a civil action in a court of common pleas for appropriate relief under this section, including a temporary restraining order, preliminary or permanent injunction, and civil penalties, if it appears that a state agency or an agency of a political subdivision has failed or is failing to comply with section 1347.12 of the Revised Code or that a person has failed or is failing to comply with section 1349.19 of the Revised Code." *Ohio Rev. Code § 1349.192(A)(1).* [^q6-cspa-individual]: **Ohio Rev. Code § 1345.09(A)** — "Where the violation was an act prohibited by section 1345.02, 1345.03, or 1345.031 of the Revised Code, the consumer may, in an individual action, rescind the transaction or recover the consumer's actual economic damages plus an amount not exceeding five thousand dollars in noneconomic damages." *Ohio Rev. Code § 1345.09(A).* [^q6-cspa-gate]: **Ohio Rev. Code § 1345.09(B)** — "Where the violation was an act or practice declared to be deceptive or unconscionable by rule adopted under division (B)(2) of section 1345.05 of the Revised Code before the consumer transaction on which the action is based, or an act or practice determined by a court of this state to violate section 1345.02, 1345.03, or 1345.031 of the Revised Code and committed after the decision containing the determination has been made available for public inspection under division (A)(3) of section 1345.05 of the Revised Code, the consumer may rescind the transaction or recover, but not in a class action, three times the amount of the consumer's actual economic damages or two hundred dollars, whichever is greater, plus an amount not exceeding five thousand dollars in noneconomic damages or recover damages or other appropriate relief in a class action under Civil Rule 23, as amended." *Ohio Rev. Code § 1345.09(B).* [^q6-ag-investigation]: **Ohio Rev. Code § 1349.191** — "The attorney general may conduct an investigation if the attorney general, based on complaints or the attorney general's own inquiries, has reason to believe that a state agency or an agency of a political subdivision has failed or is failing to comply with section 1347.12 of the Revised Code or that a person has failed or is failing to comply with section 1349.19 of the Revised Code." *Ohio Rev. Code § 1349.191(B).* [^q6-penalty-base]: **Ohio Rev. Code § 1349.192(A)(1)(a)** — "For each day that the state agency, agency of a political subdivision, or person has intentionally or recklessly failed to comply with the applicable section, subject to divisions (A)(1)(b) and (c) of this section, a civil penalty of up to one thousand dollars for each day the agency or person fails to comply with the section;" *Ohio Rev. Code § 1349.192(A)(1)(a).* [^q6-penalty-escalator]: **Ohio Rev. Code § 1349.192(A)(1)(c)** — "If the state agency, agency of a political subdivision, or person has intentionally or recklessly failed to comply with the applicable section for more than ninety days, a civil penalty in the amount specified in division (A)(1)(a) of this section for each day of the first sixty days that the agency or person fails to comply with the section, a civil penalty of up to five thousand dollars for each day commencing with the sixty-first day and continuing through the ninetieth day that the agency or person fails to comply with the section, and, for each day commencing with the ninety-first day that the state agency, agency of a political subdivision, or person has failed to comply with the section, a civil penalty of up to ten thousand dollars for each such day the agency or person fails to comply with the section." *Ohio Rev. Code § 1349.192(A)(1)(c).* [^q6-ag-cspa]: **Ohio Rev. Code § 1345.07** — "If the attorney general, by the attorney general's own inquiries or as a result of complaints, has reasonable cause to believe that a supplier has engaged or is engaging in an act or practice that violates this chapter, and that the action would be in the public interest, the attorney general may bring any of the following:(1) An action to obtain a declaratory judgment that the act or practice violates section 1345.02, 1345.03, or 1345.031 of the Revised Code;(2)(a) An action, with notice as required by Civil Rule 65, to obtain a temporary restraining order, preliminary injunction, or permanent injunction to restrain the act or practice." *Ohio Rev. Code § 1345.07(A)(1)-(2).* [^q6-ag-cspa-class]: **Ohio Rev. Code § 1345.07** — "A class action under Civil Rule 23, as amended, on behalf of consumers who have engaged in consumer transactions in this state for damage caused by:(a) An act or practice enumerated in division (B), (D), or (G) of section 1345.02 of the Revised Code;(b) Violation of a rule adopted under division (B)(2) of section 1345.05 of the Revised Code before the consumer transaction on which the action is based;(c) An act or practice determined by a court of this state to violate section 1345.02, 1345.03, or 1345.031 of the Revised Code and committed after the decision containing the determination has been made available for public inspection under division (A)(3) of section 1345.05 of the Revised Code." *Ohio Rev. Code § 1345.07(A)(3).* [^q6-consumer-transaction]: **Ohio Rev. Code § 1345.01** — "‘Consumer transaction’ means a sale, lease, assignment, award by chance, or other transfer of an item of goods, a service, a franchise, or an intangible, to an individual for purposes that are primarily personal, family, or household, or solicitation to supply any of these things." *Ohio Rev. Code § 1345.01(A).*