Effective: March 20, 2019
Latest Legislation: Senate Bill 273 - 132nd General Assembly
As used in this chapter:
(A) "Assuming insurer" has the same meaning as in section 3901.61 of the Revised Code.
(B) "Authorized individual" means an individual authorized by the licensee to access nonpublic information held by the licensee and its information systems.
(C) "Ceding insurer" has the same meaning as in section 3901.61 of the Revised Code.
(D) "Consumer" means an individual who is a resident of this state and whose nonpublic information is in a licensee's possession, custody, or control. "Consumer" includes an applicant, policyholder, insured, beneficiary, claimant, and certificate holder.
(E) "Cybersecurity event" means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system that has a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee. "Cybersecurity event" does not include the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization. "Cybersecurity event" does not include an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
(F) "Encrypted" means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key.
(G) "Family" means an individual's spouse, child, stepchild, foster child, parent, stepparent, foster parent, grandparent, grandchild, sibling, half sibling, stepsibling, parent-in-law, brother-in-law, or sister-in-law.
(H) "HIPAA" means the "Health Insurance Portability and Accountability Act of 1996," Pub. L. No. 104-191, 110 Stat. 1936, as amended.
(I) "Independent insurance agent" has the same meaning as in section 3905.49 of the Revised Code.
(J) "Information security program" means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information.
(K) "Information system" means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic nonpublic information, as well as any specialized system such as industrial and process controls systems, telephone switching and private branch exchange systems, and environmental control systems.
(L) "Insurer" has the same meaning as in section 3901.32 of the Revised Code.
(M) "Licensee" means any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state. "Licensee" includes an insurer. "Licensee" does not include a purchasing group or a risk retention group chartered and licensed in another state or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
(N) "Multifactor authentication" means authentication through verification of at least two of the following types of authentication factors:
(1) Knowledge factors, such as a password;
(2) Possession factors, such as a token or text message on a mobile phone;
(3) Inherence factors, such as a biometric characteristic.
(O) "Nonpublic information" means information that is not publicly available information and is one of the following:
(1) Business-related information of a licensee the tampering with, unauthorized disclosure of, access to, or use of which, would cause a material adverse impact to the business, operation, or security of the licensee;
(2) Information concerning a consumer that because of the name, number, personal mark, or other identifier contained in the information can be used to identify that consumer in combination with any one or more of the following data elements:
(a) Social security number;
(b) Driver's license, commercial driver's license, or state identification card number;
(c) Account, credit card, or debit card number;
(d) Any security code, access code, or password that would permit access to the consumer's financial account;
(e) Biometric records.
(3) Any information or data, except age or gender, that is in any form or medium created by or derived from a health care provider or a consumer, that can be used to identify a particular consumer, and that relates to any of the following:
(a) The past, present, or future physical, mental, or behavioral health or condition of the consumer or a member of the consumer's family;
(b) The provision of health care to the consumer;
(c) Payment for the provision of health care to the consumer.
(P) "Publicly available information" means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state, or local law.
For the purposes of this chapter, a licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine both of the following:
(1) That the information is of the type that is available to the general public;
(2) Whether a consumer can direct that the information not be made available to the general public and, if so, that the consumer has not done so.
(Q) "Risk assessment" means the risk assessment that each licensee is required to conduct under division (C) of section 3965.02 of the Revised Code.
(R) "Third-party service provider" means a person other than a licensee that:
(1) Contracts with a licensee to maintain, process, or store nonpublic information through its provision of services to the licensee;
(2) Otherwise is permitted access to nonpublic information through its provision of services to the licensee.
Structure Ohio Revised Code
Chapter 3965 | Cybersecurity Requirements for Insurance Companies
Section 3965.01 | Definitions.
Section 3965.02 | Information Security Program.
Section 3965.03 | Investigation of Events.
Section 3965.04 | Notification to Superintendent.
Section 3965.05 | Powers of Superintendent.
Section 3965.06 | Confidentiality.
Section 3965.08 | Affirmative Defense.
Section 3965.09 | Applicability and Scope of Chapter.