(A) If a licensee learns that a cybersecurity event has or may have occurred, the licensee or an outside vendor or service provider designated to act on behalf of the licensee shall conduct a prompt investigation.

lawyer at desk

Ask an insurance law question, get an answer ASAP!
Click here to chat with a lawyer about your rights.

Terms Used In Ohio Code 3965.03

  • Cybersecurity event: means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system that has a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee. See Ohio Code 3965.01
  • Licensee: includes an insurer. See Ohio Code 3965.01
  • Nonpublic information: means information that is not publicly available information and is one of the following:

    (1) Business-related information of a licensee the tampering with, unauthorized disclosure of, access to, or use of which, would cause a material adverse impact to the business, operation, or security of the licensee;

    (2) Information concerning a consumer that because of the name, number, personal mark, or other identifier contained in the information can be used to identify that consumer in combination with any one or more of the following data elements:

    (a) Social security number;

    (b) Driver's license, commercial driver's license, or state identification card number;

    (c) Account, credit card, or debit card number;

    (d) Any security code, access code, or password that would permit access to the consumer's financial account;

    (e) Biometric records. See Ohio Code 3965.01

  • Third-party service provider: means a person other than a licensee that:

    (1) Contracts with a licensee to maintain, process, or store nonpublic information through its provision of services to the licensee;

    (2) Otherwise is permitted access to nonpublic information through its provision of services to the licensee. See Ohio Code 3965.01

(B) During the investigation, the licensee or an outside vendor or service provider designated to act on behalf of the licensee shall, at a minimum, do as much of the following as possible:

(1) Determine whether a cybersecurity event has occurred;

(2) Assess the nature and scope of the cybersecurity event;

(3) Identify any nonpublic information that may have been involved in the cybersecurity event;

(4) Perform or oversee reasonable measures to restore the security of the information systems compromised in the cybersecurity event in order to prevent further unauthorized acquisition, release, or use of nonpublic information in the licensee’s possession, custody, or control.

(C) If the licensee learns that a cybersecurity event has or may have occurred in a system maintained by a third-party service provider, the licensee shall take the actions described in division (B) of this section or make reasonable efforts to confirm and document that the third-party service provider has taken those actions.

(D) The licensee shall maintain records concerning all cybersecurity events for a period of at least five years from the date of the cybersecurity event and shall produce those records upon demand of the superintendent of insurance.

  Previous section
Next section  
 Chapter 3965 Contents