Jim Siegel reports that Rep. John Patrick Carney is planning to introduce a law requiring state agencies, businesses, and institutions to report any database security breach to the Ohio attorney general’s office if any Ohio resident’s personal information was accessed. Notification would have to be made within 40 days of discovery of a breach.
Ohio currently doesn’t have a central database of breach reports, and the intention would be to create a publicly searchable database of breaches reported to the state.
Needless to say, I think it’s a great idea, but I think the “access” trigger is too high as entities often cannot determine whether there was access or just the potential for access. If the data were put at risk, that should trigger the notification, in my opinion. Or the law should state that unless the entity could conclusively demonstrate that there was no access, notification is required.
Read more on Columbus Dispatch.