“A person’s individual data is more exposed now more than ever,” said Lt. Gov. Jon Husted, who announced the bill on Tuesday with its joint sponsors, Hall and Rep. Rick Carfagna, R-Genoa Twp. “We continue to research as consumers online, use online services. Our digital exposure is only growing.”
This bill establishes what lawmakers refer to as “data rights” for Ohioans. It requires businesses ― primarily those with $25 million or more in gross revenue in Ohio, or businesses that control or process large amounts of data ― to follow specific data standards.
The bill, among other things, would also:
- outline obligations for businesses to follow, such as posting privacy notices and disclosing where data is being sold.
- give the Ohio Attorney General exclusive authority to enforce the Ohio Privacy Protection Act, and no private right of action would exist. Complaints of alleged violations would be filed with the AG’s office.
The number of data breaches and exposures in the United States has increased 41 percent since 2015, according to a 2020 Data Breach Report authored by the Identity Theft Resource Center.
And though the number of breaches and exposures have declined since the record-setting year in 2017, they’re on the rise this year.
Through June, nearly 900 data breaches were publicly reported in the United States, impacting nearly 119 million people, according to the ITRC report. Breaches in the second quarter this year increased 38 percent from the first quarter, and if that rate continues they’ll exceed the nearly 1,700 in 2017. (This data does not include the 1 billion people exposed in data leaks from Facebook and LinkedIn).
James Lee, chief operating officer for ITRC, previously told the Journal-News they’ve known that downward trend would stop, but “we didn’t really expect to see was such as dramatic reversal that will take us from a five-year low to what looks to be an all-time high by the end of the year in just a matter of months.”
The Ohio Personal Privacy Act has not yet been assigned a committee, but Hall said there have been internal discussions about it.
More than 20 states have introduced similar data privacy legislation, and Husted said this bill has been in development for the past two years. California and Virginia have enacted data privacy legislation.
“Data and personal information, f misused, mishandled or inadequately protected, could potentially result in identity theft, financial fraud and other problems which in turn puts the burden on consumers to sort out and in many instances pay for with both their time and treasure,” Husted said.