State and Federal Regulations

Ohio Policies

Ohio Revised Code §1347: Ohio Revised Code §1347 (formerly referred to as House Bill 104) establishes requirements for notifying Ohio residents in the event that certain personal information is disclosed or reasonably believed to be disclosed to unauthorized persons through a system security breach. Personal information as defined in this law includes an individual's name coupled with his or her Social Security number, driver's license number and/or credit card information. Specific requirements vary depending on the size and certainty of the disclosure.

Ohio Senate Bill 126 went into effect March 30, 2007. This legislation exempts persons, entities, state agencies and agencies of political subdivisions that are "covered entities" under the federal Health Insurance Portability and Accountability Act (HIPAA) from the disclosure requirement related to unauthorized access to personal information as required by Ohio Revised Code 1347.12.

Federal Policies

FERPA: FERPA protects the privacy of students' education records by setting forth strict instructions and limitations governing the release of information about students. Particularly sensitive information includes students' Social Security numbers, race or ethnicity, gender, nationality, academic performance, disciplinary records, and grades.

Health Insurance Portability and Accountability Act of 1996 (HIPAA): HIPAA is a federal law comprised of three sets of regulations that establish and protect patient rights and disseminate standards for the protection of individually identifiable health information, otherwise known as protected health information (PHI).

Payment Card Industry (PCI) Standards: A set of security standards created by the major credit card companies that applies to any organization that processes and/or stores credit or debit card information; the standards include requirements for security management, policies, procedures, network architecture, software design and auditing.

Gramm-Leach-Bliley Act: Sets forth key provisions on the collection and disclosure of consumer's personal financial information, such as bank account numbers.

FACTA Red Flags: Regulation intended to reduce the risk of identity theft. The regulation defines twenty-six alerts or red flags. A Red Flag refers to a pattern, practice or specific activity that indicates the possible existence of identity theft. The regulation is monitored by the Federal Trade Commission and goes into effect November 1, 2009.