Fiscal Note & Local Impact Statement

126 ^th General Assembly of Ohio

Ohio Legislative Service Commission

77 South High Street, 9^th Floor, Columbus, OH 43215-6136 ² Phone: (614) 466-3615

² Internet Web Site: http://www.lsc.state.oh.us/

 

State Fiscal Highlights

 

Note:  The state fiscal year is July 1 through June 30.  For example, FY 2006 is July 1, 2005 – June 30, 2006.

 

·        Impact on State Agencies – Notification Requirements.  State agencies that maintain personal data must disclose any breach of the security of the system, following its discovery or notification of the breach of the security of the system, to any resident of this state whose personal information was, or is believed to have been, acquired by an unauthorized person.  All disclosure/notification methods outlined in the bill will have a cost in terms of staff time to prepare the disclosure or notification.  The cost would depend on the method of disclosure/notification chosen.  In addition, there potentially would be unknown costs associated with responding to what would likely be a large volume of inquiries from the public once news of a security breach is made public.

·        Department of Administrative Services – Office of Information Technology (OIT).  OIT, which manages much of the statewide information technology infrastructure and sets statewide information technology management policy, may face minimal additional administrative expenses associated with the provisions in this bill.  However, as OIT already takes measures to protect data, it should not experience a large increase in expenditures.

·        Attorney General.  The bill authorizes the Attorney General to investigate and enforce compliance with the requirements of the bill and to bring a civil action in a court of common pleas for appropriate relief if it appears a state agency, agency of a political subdivision, or person has failed or is failing to comply with the provisions of this bill.  While these authorizations will involve some cost to the Attorney General's office, all civil penalties assessed as a result of a violation of the provisions of this bill will be credited to the Consumer Protection Enforcement Fund (Fund 631).  In addition, state agencies or any person or business found by the court to have failed to comply with the provisions of the bill shall be liable to the Attorney General for the costs incurred in conducting an investigation and bringing an action under this bill.

 

Local Fiscal Highlights

 

 

Note:  For most local governments, the fiscal year is the calendar year.  The school district fiscal year is July 1 through June 30.

 

·        Various political subdivisions may experience expenditure increase to provide notices to individuals of unauthorized access to their personal information.  The actual costs for political subdivisions will vary depending on the number of individuals and or extent of the security breach of personal information databases as well as, similar to the state, the method of notification chosen.

 

·        Various courts of common pleas may experience expenditure increases for imposing civil penalties, issuing court orders, restraining orders, and preliminary or permanent injunctions.  Any costs incurred by the courts are likely to be offset by court fees.  Overall cost would depend on the complexity of the cases brought forward.

 

Detailed Fiscal Analysis

 

The bill requires a state agency, agency of a political subdivision, person, or business entity to contact individuals if unencrypted or unredacted personal information about those individuals that is included in computerized data or licensed by the state agency, agency of a political subdivision, person, or business entity is obtained by unauthorized persons or causes or potential will create a material risk of identity fraud or similar fraud.  The bill also authorizes the Attorney General to investigate and enforce compliance with the bill’s requirements.  This fiscal note describes the provisions of the bill that could potentially add new state and local costs.  Please see the LSC Bill Analysis for more detail on the bill’s other provisions.

 

Background

 

The Department of Administrative Services (DAS), which manages much of the statewide information technology infrastructure and sets statewide information technology management policy, estimates that most, if not all, state agencies own or maintain computerized data that includes personal information, as every agency has a constituency of the public that it interacts with in some form.  As examples, the Department of Taxation has computerized tax records, the Department of Public Safety has driver's license records, the Adjutant General has National Guard records, and the Department of Job and Family Services has Medicaid databases.  Furthermore, there are most likely boards and commissions that also would have this type of data. 

 

The Office of Information Technology (OIT) within DAS is an example of an entity that maintains computerized data that includes personal information on behalf of other agencies.  OIT is responsible for running the mainframes and servers that form the framework through which all state agencies' data flows.  OIT estimates there are a handful of other state agencies that maintain this data.  As a result, potentially every state agency would be impacted by the bill's reporting and notification requirement. 

 

In their normal course of business, state agencies take measures to protect data and correct any data that is corrupted.  Security measures in place in varying degrees within state agencies include firewalls, access log reviews, user identification/password security measures, and token-card access for traveling users.  Agencies currently assess their level of risk and are required to have measures in place to protect data.  OIT has identified security contacts within each agency in order to share techniques for protection, to distribute alerts of new types of attacks, and to share information about attacks against state agency systems. 

 

Fiscal Impact for Disclosure of Unauthorized Obtainment of Personal Information

 

If an unauthorized person obtains unencrypted or unredacted personal information that is maintained on the computers of a state agency, an agency of a political subdivision, or person,   then the aforementioned entities are required to inform those persons (residents of the state) within 45 days, whose personal information has been obtained in this manner, either through written notice, electronic notice, telephone notice, or substitute notice.

 

The bill provides for two forms of substitute notice.  The first form of substitute notice (electronic mail notice, conspicuous posting on a web site, notification to major media outlets) shall be provided if the person does not have sufficient information to provide the notice either by written notice, electronic notice, or telephone notice, or that the cost of providing the disclosure would exceed $250,000, or the class of subject residents to whom the disclosure or notification is required exceeds 500,000 persons.  The second form of substitute notice (advertisement distributed in the area in which the business entity is located, conspicuous posting on the business entity’s web site, or notification to major media outlets in the area where the business entity is located) shall be provided if it is determined that the person is a business entity with fewer than ten employees and that the cost of providing the notice will exceed $10,000.

 

All disclosure or notification methods have a cost in terms of staff time to prepare the disclosure or notifications.  Also, there likely will be costs associated with responding to a large volume of inquiries from the public once news of a security breach is made public.  In terms of notification, the most expensive option would likely be written notification.  This would require printing and postal charges for an actual mailed letter to all impacted individuals.  Even at state bulk printing and mailing rates, DAS estimates this would be a significant cost.  The other options would each have a cost, but they would be much more modest.  Major media notification would most likely require a press release to all state media outlets.  There would be expenses associated with producing and distributing the release, but they would be fairly minimal.  Electronic mail notifications or an agency web site announcement would have an impact on state computing resources but would not likely result in substantial costs.  Overall, these costs will affect state agencies as well as political subdivisions.

 

Also, if these entities or a person discover circumstances that require disclosure to more than 1,000 residents of the state involved in a single security breach, they must, without delay, in addition to notifying every individual, notify all consumer reporting agencies of the disclosure. This requirement will most likely result in some additional administrative expenses for state agencies as well as an agency of a political subdivision. According to the National Credit Reporting Association, Inc., there are approximately 200 consumer reporting agencies in the United States.  Depending on how state agencies and agencies of political subdivisions notify such agencies, the expenses associated with this provision would vary. 

 

Civil Actions

 

The bill authorizes the Attorney General to conduct an investigation if it is believed that a state agency or a person or business has failed to comply with the notification and disclosure requirements of this bill.  According to the Attorney General's office, there are no current estimates on how many security breaches involving unauthorized access of personal information occur each year.  Thus, it is difficult to predict how much additional work this provision will create; however, it is likely that the Attorney General will most likely experience some increase in expenses in investigating violations of the bill.

 

The bill requires civil penalties to be imposed upon a state agency, political subdivision, or person, if these entities appear to have failed, or are failing, to comply with the provisions in the bill (with exceptions described in the LSC bill analysis) if a state agency, political subdivision, or person has failed to comply with the applicable sections the bill requires a civil penalty of not more than $1,000 to be imposed each day for the first 60 days.  After the 61st day and through the 90th day, the civil penalty increases up to $5,000 for each day the person fails to comply with applicable sections of the bill. After the 91st day the bill requires a civil penalty of not more than $10,000 to be imposed each day the agency or person fails to comply with the section.

 

The bill further states that the civil penalties imposed by a court of common pleas shall be deposited into the Consumer Protection Enforcement Fund.  All moneys in the Consumer Protection Enforcement Fund shall be used for the sole purpose of paying expenses incurred by the consumer protection section of the Attorney General’s office.  Furthermore, the bill specifies that any state agency or person or business found to have failed to comply with the provisions of the bill shall be liable to the Attorney General for the Attorney General's costs in conducting investigations and bringing an action under this section, thus offsetting those costs.

 

Courts of Common Pleas

 

Various courts of common pleas may experience expenditure increases for imposing civil penalties, issuing court orders, restraining orders, and preliminary or permanent injunctions.  Any costs incurred by the courts are likely to be offset by court fees.  Overall, court expenses would vary according to the complexity of the cases being handled.

 

 

LSC fiscal staff:  Ann Braam, Budget Analyst

                          Jonathan Lee, Senior Budget Analyst

 

HB0104EN.doc/arc