Can I skip having an information security program in place in Ohio? What are the requirements?

Information Security Program Requirements in Ohio

In Ohio, it is not recommended to skip having an information security program in place. The Ohio Administrative Code (OHAC) Rule 123-2-11 requires the Department to adopt, implement, and enforce a security plan for the protection of personal information ^[3.1]. The security plan must include a statement of the security precautions for each personal information system, a method of informing agency employees concerning appropriate and inappropriate uses, disclosure and access to the personal information, as well as penalties and sanctions, civil or criminal, for the unlawful use or disclosure of personal information and the failure to take reasonable precautions to protect the security of personal information ^[3.1].

Consequences of Not Having an Information Security Program

Failure to comply with the OHAC Rule 123-2-11 may result in penalties and sanctions, civil or criminal, for the unlawful use or disclosure of personal information and the failure to take reasonable precautions to protect the security of personal information ^[3.1].

Conclusion

It is not recommended to skip having an information security program in place in Ohio. The OHAC Rule 123-2-11 requires the Department to adopt, implement, and enforce a security plan for the protection of personal information. Failure to comply with the OHAC Rule 123-2-11 may result in penalties and sanctions, civil or criminal, for the unlawful use or disclosure of personal information and the failure to take reasonable precautions to protect the security of personal information.

Source(s):

• [3.1] Security precautions.

Jurisdiction

Ohio

• Privacy