Ohio Data Breach Notification Laws: Reporting Rules & Timelines (2026)

If your business handles personal information belonging to Ohio residents, a data breach triggers specific legal obligations. Ohio Rev. Code 1349.19 sets out who must be notified, what information triggers the duty, and how quickly you need to act. Ohio stands out among state breach notification laws for two reasons: it imposes escalating daily penalties for noncompliance, and it offers a separate cybersecurity safe harbor under the Ohio Data Protection Act (ORC Chapter 1354) that can shield businesses from tort liability if they maintain recognized cybersecurity programs.

This guide covers the full scope of Ohio's breach notification requirements, including what personal information triggers the law, who must be notified, the timeline, enforcement penalties, the cybersecurity safe harbor, and how the law connects to the state's [broader data privacy framework](/us-laws/data-privacy-laws/ohio-data-privacy-laws).

Who Must Comply With Ohio's Breach Notification Law

Ohio's breach notification law applies to any person that owns or licenses computerized data that includes personal information of Ohio residents. The term "person" includes individuals, corporations, business trusts, estates, trusts, partnerships, and associations.

The law also covers entities that do not own or license the data but maintain it on behalf of another person. If a data maintainer discovers a breach, it must notify the data owner or licensee of the breach. The data owner then carries the obligation to notify affected consumers.

Businesses located outside Ohio that hold data belonging to Ohio residents are subject to the law.

What Qualifies as a Breach of Security

Under ORC 1349.19, a breach of the security of the system means unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information and that causes or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident.

The "material risk" threshold is significant. Not every unauthorized access triggers notification. The business must evaluate whether the breach creates a real risk of identity theft or fraud.

Good Faith Exception

A good faith acquisition of personal information by an employee or agent of the entity for the purposes of the entity's business does not constitute a breach, provided the personal information is not used for an unauthorized purpose and is not subject to further unauthorized disclosure.

The Encryption and Redaction Safe Harbor

Ohio provides a clear safe harbor for encrypted or redacted data. Personal information that has been encrypted, redacted, or altered by any method or technology that renders the data elements unreadable does not trigger the notification requirement.

"Redacted" means altered or truncated so that no more than the last four digits of a Social Security number, driver's license number, state ID number, account number, or credit/debit card number is accessible.

What Personal Information Triggers the Law

Under ORC 1349.19(A)(7), personal information means an individual's first name or first initial and last name in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or made unreadable:

• Social Security number
• Driver's license number or state identification card number
• Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual's financial account

Ohio's definition of personal information is narrower than many states. It does not include biometric data, medical information, health insurance numbers, or passport numbers.

Notification Timeline

Ohio requires notification within 45 days of the discovery or notification of a breach. The 45-day clock starts when the business becomes aware of the breach, not when it completes its investigation.

Delays are permitted only when:

• A law enforcement agency determines that the disclosure will impede a criminal investigation or jeopardize national security (the business must provide disclosure without unreasonable delay after the law enforcement agency indicates it will no longer be impeded)
• The delay is necessary to determine the scope of the breach, identify affected individuals, or restore the reasonable integrity of the system (but these activities must not extend beyond the 45-day period)

Who Must Be Notified

Affected Individuals

Every Ohio resident whose personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person must receive notification, if the breach causes or is reasonably believed to cause a material risk of identity theft or other fraud.

The notice must include:

• A description of the breach in general terms
• The type of personal information subject to the breach
• Contact information for the entity providing notice
• Contact information for consumer reporting agencies
• Advice to the individual to monitor financial accounts and report suspected identity theft to law enforcement

Consumer Reporting Agencies

When a breach affects more than 1,000 Ohio residents in a single occurrence, the business must notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. This notification must include the timing, distribution, and content of the consumer notice.

Attorney General

The Ohio Attorney General has authority to investigate suspected noncompliance under ORC 1349.191. While the statute does not require proactive AG notification for every breach, the AG can initiate investigations and demand information.

Methods of Notification

Businesses can provide notification through:

• Written notice sent to the individual's last known address
• Electronic notice consistent with the federal E-SIGN Act
• Telephone notice directly to the affected individual

Substitute Notice

Substitute notice is available if the business demonstrates that:

• The cost of providing notice would exceed $250,000, or
• The affected class exceeds 500,000 persons, or
• The business does not have sufficient contact information

Substitute notice must include: a paid advertisement in a local newspaper covering at least one-quarter page, published once a week for three consecutive weeks; conspicuous posting on the business's website; and notification to major media outlets in the geographic area.

Ohio's substitute notice requirement is unique in specifying a newspaper advertisement format, including minimum size and frequency requirements.

Enforcement and Penalties

Escalating Daily Penalties

Ohio employs an escalating penalty structure under ORC 1349.192 for intentional or reckless noncompliance:

• $1,000 per day for the first 60 days of noncompliance
• $5,000 per day from days 61 through 90
• $10,000 per day from day 91 onward

This means a business that intentionally delays notification for 120 days could face over $600,000 in civil penalties.

Attorney General Enforcement

Under ORC 1349.191, the Attorney General may investigate suspected noncompliance and bring civil actions. The AG can also seek injunctive relief to prevent ongoing violations.

No Private Right of Action

Ohio's breach notification law does not create a private right of action. Individuals cannot sue businesses directly under ORC 1349.19 for breach notification failures. Enforcement is limited to the Attorney General.

The Ohio Data Protection Act Safe Harbor

Separate from the breach notification statute, the Ohio Data Protection Act (ORC Chapter 1354), enacted in 2018 through Senate Bill 220, provides an affirmative defense against tort claims arising from data breaches.

How the Safe Harbor Works

Under ORC 1354.02, a business that creates, maintains, and complies with a written cybersecurity program that reasonably conforms to a recognized cybersecurity framework is entitled to an affirmative defense against any cause of action sounding in tort that alleges the failure to implement reasonable security controls resulted in a data breach.

Recognized Cybersecurity Frameworks

The following frameworks qualify under the Ohio Data Protection Act:

• NIST Cybersecurity Framework
• NIST Special Publication 800-171 and 800-53
• FedRAMP Security Assessment Framework
• CIS Critical Security Controls
• ISO/IEC 27000 family of standards
• HIPAA security requirements (for entities subject to HIPAA)
• Gramm-Leach-Bliley Act security requirements
• FISMA
• PCI-DSS (for entities accepting credit card payments)

Limitations of the Safe Harbor

The safe harbor is an affirmative defense only. It does not provide blanket immunity. The business must raise the defense in court and demonstrate that it maintained reasonable conformance with its chosen framework. The defense also does not protect against regulatory enforcement actions under ORC 1349.191 or claims under other statutes.

When a cybersecurity framework is updated, the business has one year to conform to the new version before the safe harbor applies to the updated standard.

Exemptions

Federal Compliance Exemptions

Entities that maintain their own notification procedures as part of an information privacy or security policy are deemed in compliance, provided those procedures are consistent with the timing requirements of Ohio law and the entity follows its own procedures.

Financial institutions subject to federal examination and covered entities under HIPAA that comply with federal breach notification rules may satisfy Ohio requirements through federal compliance.

More Ohio Laws

• Ohio Recording Laws
• Ohio Recording Laws
• Ohio Data Privacy Laws
• Ohio Recording Laws
• Ohio Recording Laws
• Ohio Recording Laws
• Ohio Dog Bite Laws
• Ohio Recording Laws

Sources and References

This article draws from the following official Ohio government sources:

• Ohio Rev. Code 1349.19 (Security Breach Notification) - Full text of Ohio's breach notification statute
• Ohio Rev. Code 1349.191 (Investigation of Noncompliance) - Attorney General investigation authority
• Ohio Rev. Code 1349.192 (Civil Penalties) - Escalating penalty structure
• Ohio Rev. Code Chapter 1354 (Data Protection Act) - Cybersecurity safe harbor provisions
• Ohio Rev. Code 1354.02 (Safe Harbor Requirements) - Recognized cybersecurity frameworks
• Ohio Attorney General: Personal Information for Consumers - AG guidance for businesses

This article provides general legal information about Ohio data privacy laws and breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in Ohio for guidance specific to your situation.