Introduction to Ohio Privacy Rights
Ohio residents navigate a complex privacy landscape shaped by both federal regulations and state-specific laws that govern how personal information can be collected, used, and disclosed. Unlike states such as California, Virginia, or Colorado that have enacted comprehensive consumer privacy laws, Ohio operates under a sector-specific approach, with privacy protections scattered across multiple statutes addressing particular industries or data types. This fragmented framework means Ohioans must understand various laws to fully comprehend their privacy rights.
The privacy protections available to Ohio residents include the Ohio Data Protection Act (Ohio Revised Code §1354), which creates an affirmative defense for businesses that maintain cybersecurity programs, and Ohio's data breach notification law (Ohio Revised Code §1349.19 and §1349.191), which requires notification when personal information is compromised. Ohio also provides specific protections through its Public Records Act (Ohio Revised Code §149.43), which balances government transparency with individual privacy by exempting certain personal information from disclosure.
Compared to other states, Ohio's privacy framework falls in the middle tier. While it lacks the comprehensive consumer data privacy rights found in states with omnibus privacy laws, Ohio has been proactive in certain areas, particularly regarding data security standards and breach notification requirements. The state has also implemented specific protections for vulnerable populations, including children and victims of certain crimes. For Ohio residents concerned about privacy, understanding both the protections that exist and the gaps in coverage is essential for taking proactive steps to safeguard personal information in an increasingly digital world.
Ohio's State Privacy Laws
Ohio's privacy legal framework consists of multiple statutes addressing specific sectors and types of data rather than a single comprehensive privacy law. Understanding these distinct laws is crucial for Ohio residents seeking to protect their personal information.
Data Breach Notification Law
Ohio's primary data breach notification statute is codified in Ohio Revised Code §1349.19 and §1349.191. Under this law, any person or business that owns or licenses computerized data containing personal information must provide notice to affected Ohio residents when a breach of security exposes their personal information. "Personal information" is defined as an individual's name combined with Social Security number, driver's license number, account number with security code, or other identifying information that would permit access to an individual's financial account.
The law requires notification "in the most expedient time possible and without unreasonable delay," with specific consideration for law enforcement needs and measures necessary to determine the scope of the breach. Entities must also notify consumer reporting agencies if the breach affects more than 1,000 Ohio residents. Violations can result in civil actions by the Ohio Attorney General, with penalties and the possibility of restitution for affected individuals.
Ohio Data Protection Act
Enacted in 2018, the Ohio Data Protection Act (Ohio Revised Code §1354) takes a unique approach by creating a legal safe harbor for businesses rather than imposing new requirements. Companies that create, maintain, and comply with a written cybersecurity program consistent with an industry-recognized framework (such as NIST or ISO standards) gain an affirmative defense in civil actions alleging failure to implement reasonable information security controls. This incentive-based approach encourages businesses to adopt robust data protection measures while limiting litigation exposure.
Financial Privacy Protections
Ohio Revised Code §1349.19 extends beyond general breach notification to include specific provisions for financial institutions. Ohio law also incorporates federal financial privacy standards established under the Gramm-Leach-Bliley Act, requiring financial institutions to provide privacy notices and allow consumers to opt out of certain information-sharing practices. Ohio residents have the right to request their financial privacy notices and opt out of having their information shared with non-affiliated third parties for marketing purposes.
Employee Privacy Rights
Ohio law provides limited but important privacy protections for employees. Under Ohio Revised Code §4113.23, employers may not require employees or applicants to disclose their personal social media passwords. This statute, enacted in 2014, prohibits employers from demanding access to personal accounts or requiring employees to add the employer to their contact lists. However, employers may still request access to accounts created for business purposes or monitor devices provided by the employer.
Ohio law also addresses workplace drug testing (Ohio Revised Code §4113.52) and requires certain procedures be followed to protect employee privacy during testing processes. Additionally, Ohio Administrative Code §4123-17-16 establishes privacy protections for workers' compensation records, limiting who can access these sensitive documents.
Insurance Information Privacy
The Ohio Department of Insurance enforces privacy standards for insurance companies operating in the state under Ohio Revised Code Chapter 3904. These provisions govern how insurers collect, use, and disclose personal information, requiring notice to consumers and establishing procedures for correcting inaccurate information in insurance records.
Freedom of Information / Open Records in Ohio
Ohio's open government law is known as the Ohio Public Records Act, codified in Ohio Revised Code §149.43. This statute establishes that all public records are presumptively open to public inspection, with specific exemptions carved out to protect individual privacy and other legitimate interests. The Act reflects Ohio's strong commitment to government transparency while recognizing that certain information requires protection.
What the Public Records Act Covers
Under §149.43, "public records" include any records kept by public offices, defined broadly to encompass state agencies, political subdivisions, and other governmental entities. Records include documents, photographs, electronic files, emails, text messages, and any other recorded information created or received in connection with official business. The Act applies to executive, legislative, and judicial branches, as well as state universities, public schools, and local governments.
Privacy Exemptions
Ohio Revised Code §149.43(A)(1) lists numerous exemptions protecting personal privacy. Key exemptions include:
- Medical records (protected under §149.43(A)(1)(a))
- Records pertaining to adoption proceedings, child abuse and neglect cases, and juvenile court records
- Peace officer, parole officer, probation officer, and prosecution witness residential and family information (§149.43(A)(1)(v))
- Confidential law enforcement investigatory records (§149.43(A)(2))
- Trial preparation records (§149.43(A)(4))
- Social Security numbers, with limited exceptions (§149.43(A)(1)(ff))
- Personal information of participants in address confidentiality programs
- Body-worn camera and dashboard camera recordings, unless specific conditions are met (§149.43(A)(22))
How to Request Records
Ohio residents can submit public records requests orally or in writing, though written requests are recommended for documentation purposes. Requests should be submitted to the records custodian of the specific public office holding the records. The request must identify the records sought with reasonable specificity but does not need to state a reason for the request. Public offices cannot require requesters to provide their identity or the purpose of the request, though they may ask for clarification to locate the records.
Response Time Requirements
Ohio law requires public offices to respond to records requests promptly. While §149.43 does not specify an exact number of days, it mandates that records be made available "within a reasonable period of time." Ohio courts have interpreted "reasonable" based on the volume and complexity of the request, typically ranging from a few days to several weeks for large requests. Public offices must acknowledge the request and provide an estimated timeframe for production if immediate compliance is not possible.
Fee Schedules
Public offices may charge actual costs for copying records, including supplies and staff time for large or complex requests. However, §149.43(B)(7) prohibits charging for the time spent locating and reviewing records for routine requests. Fees must be established by policy and made available to requesters. Many offices charge per-page copying fees (typically $0.05-$0.10 per page) and actual costs for electronic media.
Appeals Process
If a public office denies a records request, the requester can file a mandamus action in the Ohio Court of Common Pleas under §149.43(C). If the court determines the public office failed to comply with the law, it must order disclosure and award attorney fees and court costs to the requester. The public office or official may also face penalties. Requesters may also file complaints with the Ohio Attorney General's Office, which can investigate and mediate disputes.
HIPAA and Health Privacy in Ohio
The Health Insurance Portability and Accountability Act (HIPAA) establishes federal baseline protections for medical information that apply throughout Ohio. All covered entities in Ohio—including healthcare providers, health plans, and healthcare clearinghouses—must comply with HIPAA's Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E) and Security Rule.
Under HIPAA, Ohio residents have the right to access their medical records, request corrections, receive an accounting of disclosures, and file complaints about privacy violations with the U.S. Department of Health and Human Services Office for Civil Rights. Healthcare providers must provide patients with a Notice of Privacy Practices explaining how their information may be used and disclosed.
Ohio-Specific Health Privacy Protections
Ohio law provides additional health privacy protections that exceed HIPAA's requirements in certain areas. Ohio Revised Code §3701.243 establishes specific confidentiality protections for HIV/AIDS testing and treatment information, requiring written consent before disclosure and imposing criminal penalties for unauthorized disclosure. These protections are more stringent than HIPAA's general standards.
Ohio Revised Code §5122.31 protects mental health records maintained by the Ohio Department of Mental Health and Addiction Services and community mental health providers. These records are confidential and can only be disclosed with patient consent or as specifically authorized by law, such as for treatment purposes or court orders.
Ohio's drug database, the Ohio Automated Rx Reporting System (OARRS), maintained under Ohio Revised Code §4729.75 through §4729.86, tracks controlled substance prescriptions. Access to this database is strictly limited to authorized prescribers, dispensers, law enforcement with proper legal authority, and patients seeking their own records.
Protecting Your Medical Records
Ohio residents can take several steps to protect medical privacy: request copies of your medical records annually to ensure accuracy; limit disclosure authorizations to specific purposes and timeframes; ask healthcare providers about their privacy practices; report suspected violations to the OCR HIPAA hotline at 1-800-368-1019; and consider designating a personal representative through appropriate legal documentation to control access to your records.
Consumer Data Privacy Rights in Ohio
Unlike comprehensive consumer privacy law states, Ohio residents' data privacy rights derive from a patchwork of federal laws and limited state statutes. Understanding these rights requires examining multiple legal frameworks that apply to different types of data and businesses.
Current Consumer Rights
Ohio consumers have specific rights under federal law that apply statewide, including rights under the Fair Credit Reporting Act (FCRA), which governs how consumer reporting agencies collect and use personal information. Ohio residents can request free annual credit reports from each of the three major credit bureaus through AnnualCreditReport.com, dispute inaccurate information, and place fraud alerts or credit freezes.
The Telephone Consumer Protection Act (TCPA) allows Ohio residents to register phone numbers with the National Do Not Call Registry and file complaints about unwanted telemarketing calls. The CAN-SPAM Act provides rights regarding commercial email, including the ability to opt out of marketing messages.
Ohio-Specific Consumer Protections
The Ohio Consumer Sales Practices Act (Ohio Revised Code §1345.01 through §1345.13) provides broad protections against unfair and deceptive business practices, including misrepresentation about how personal information will be used. The Ohio Attorney General can bring enforcement actions under this statute, and consumers can file private lawsuits for violations.
Ohio Revised Code §1349.40 prohibits businesses from printing more than the last five digits of a credit card number on receipts, protecting against identity theft. Violations can result in civil penalties of up to $1,000 per violation.
Opt-Out Rights
Ohio residents can exercise various opt-out rights: opt out of pre-approved credit offers by calling 1-888-567-8688 or visiting OptOutPrescreen.com; opt out of sharing by financial institutions under the Gramm-Leach-Bliley Act by following procedures in privacy notices; register with the National Do Not Call Registry at DoNotCall.gov; and opt out of targeted advertising through the Digital Advertising Alliance's opt-out tool at optout.aboutads.info.
Removing Information from Data Brokers
Data brokers compile and sell personal information, and Ohio lacks a comprehensive law requiring these companies to honor deletion requests. However, many data brokers voluntarily offer opt-out mechanisms. Ohio residents should systematically contact major data brokers including: Spokeo, PeopleFinders, Whitepages, BeenVerified, Intelius, MyLife, and Radaris. Each company has its own opt-out process, typically requiring identity verification and manual submission of removal requests.
For more persistent removal, consider using privacy services that automate data broker opt-outs, though these typically charge subscription fees. Document all opt-out requests and check periodically, as information may reappear when data brokers refresh their databases.
Credit Reporting Rights
Under the FCRA, Ohio residents have the right to dispute inaccurate information on credit reports. Send dispute letters to credit bureaus (Equifax, Experian, TransUnion) via certified mail with supporting documentation. Bureaus must investigate within 30 days and correct or delete unverified information. Ohio residents can also place security freezes on credit reports free of charge under federal law (strengthened by the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018), preventing creditors from accessing reports without authorization.
Employment Background Checks & Privacy in Ohio
Ohio employers frequently conduct background checks on applicants and employees, but both federal and state laws regulate what information can be accessed and how it can be used. Understanding these limitations helps Ohio job seekers protect their privacy rights and challenge improper use of personal information.
Federal Requirements
The Fair Credit Reporting Act (FCRA) governs employment background checks conducted by third-party consumer reporting agencies. Employers must obtain written consent before procuring a background check, provide a copy of the report if taking adverse action, and allow the applicant opportunity to dispute inaccurate information. Ohio employers must comply with these federal requirements.
Ohio-Specific Background Check Regulations
Ohio Revised Code §9.79 requires criminal background checks for certain positions working with vulnerable populations, including children and elderly individuals. However, the statute also establishes procedures for considering criminal history, preventing blanket exclusions based solely on conviction records.
Ohio employers cannot access sealed or expunged records. Once a court grants expungement under Ohio Revised Code §2953.32, the criminal record is removed from public access, and applicants can legally answer "no" when asked if they have been convicted of the expunged offense. Employers who improperly access or use expunged records may face legal liability.
Ban-the-Box in Ohio
Ohio does not have a statewide ban-the-box law prohibiting employers from asking about criminal history on initial applications. However, several Ohio municipalities have enacted local ordinances. Cleveland's ban-the-box law (Cleveland Codified Ordinances Chapter 188) applies to city employment and contractors, prohibiting criminal history questions until after a conditional offer. Columbus has similar protections for city positions.
Despite the absence of a statewide ban, Ohio employers must still comply with Equal Employment Opportunity Commission (EEOC) guidance on using criminal records, which requires individualized assessment considering the nature of the crime, time elapsed, and job relevance. Blanket exclusions may constitute disparate impact discrimination.
Criminal Record Accessibility
Ohio criminal records are generally public and accessible through county clerk of courts offices and the Ohio Bureau of Criminal Investigation's electronic database. Misdemeanor convictions remain accessible indefinitely unless sealed or expunged. Felony convictions also remain permanently accessible absent court intervention.
However, Ohio law provides mechanisms for limiting access. Under Ohio Revised Code §2953.32 (sealing) and §2953.31 (expungement for acquittals and dismissals), eligible individuals can petition courts to seal conviction records or expunge non-conviction records. Sealing eligibility depends on the offense type, with violent offenses and first- and second-degree felonies generally ineligible. Most misdemeanors and fourth- and fifth-degree felonies can be sealed one year after final discharge. Third-degree felonies require a three-year waiting period.
Disputing Inaccurate Background Check Information
Ohio residents who discover inaccurate information on employment background checks should immediately contact the consumer reporting agency that prepared the report, submitting a written dispute with supporting documentation. Under the FCRA, agencies must investigate within 30 days and correct errors. If the agency fails to correct inaccurate information, file a complaint with the Federal Trade Commission and the Ohio Attorney General's Consumer Protection Section.
For errors in underlying court records, contact the relevant Ohio court to request corrections. The Ohio Bureau of Criminal Investigation maintains the state's criminal history database; errors in this system require submitting a Challenge Form (BCI Form 1001) with fingerprints and supporting documentation to BCI at P.O. Box 365, London, OH 43140.
Protecting Yourself in Ohio: Practical Steps
Ohio residents can take concrete actions to enhance privacy protection. The following step-by-step guide provides specific instructions for common privacy-protective measures.
Opting Out of People-Search Sites
Begin with the major people-search sites that aggregate Ohio public records:
Spokeo: Visit spokeo.com/optout, search for your listing, copy the URL, and submit the opt-out form. Verification takes 5-7 business days.
Whitepages: Go to whitepages.com/suppression-requests, locate your profile, and submit the suppression request. Processing takes 24-48 hours.
BeenVerified: Visit beenverified.com/app/optout/search, find your listing, and complete the opt-out form. Allow 24 hours for removal.
PeopleFinders: Navigate to peoplefinders.com/opt-out, search for your record, and submit removal request with email verification.
Intelius: Visit intelius.com/opt-out, locate your profile, and follow the multi-step verification process requiring email confirmation.
Repeat this process every 6-12 months, as information may reappear when databases are updated with new public records.
Freezing Your Credit
Ohio residents can freeze credit reports free of charge at all three major bureaus:
Equifax: Call 1-800-349-9960 or visit equifax.com/personal/credit-report-services/credit-freeze/
Experian: Call 1-888-397-3742 or visit experian.com/freeze/center.html
TransUnion: Call 1-888-909-8872 or visit transunion.com/credit-freeze
Also freeze your file with Innovis (innovis.com/personal/securityFreeze) and the National Consumer Telecommunications and Utilities Exchange (nctue.com/consumers) to comprehensively protect against identity theft. When freezing, you'll receive a PIN or password needed to temporarily lift the freeze when applying for credit.
Requesting Record Sealing/Expungement in Ohio
Determine eligibility under Ohio Revised Code §2953.32 for sealing convictions or §2953.31 for expunging non-conviction records. Obtain certified copies of all relevant records from the court where the case was adjudicated. Complete the Application for Sealing of a Criminal Record (form varies by county) available from the clerk of courts.
File the application with the same court that handled the original case, along with required filing fees (typically $50-$100, though fee waivers are available for indigent applicants). The prosecutor has the opportunity to object, and the court may schedule a hearing. If granted, the court issues an order sealing the record, which must be served on all agencies that maintain records of the case, including local law enforcement, the Ohio Bureau of Criminal Investigation, and the FBI.
For assistance, contact Ohio Legal Help (ohiolegalhelp.org) or local legal aid organizations including Legal Aid Society of Columbus (614-241-2001), Legal Aid Society of Cleveland (216-687-1900), or Community Legal Aid Services in Akron (330-535-4191).
Contacting Key Ohio Privacy Agencies
Ohio Attorney General's Office, Consumer Protection Section: For consumer privacy complaints and data breach notifications. Phone: 1-800-282-0515. Website: OhioAttorneyGeneral.gov
Ohio Department of Commerce, Division of Financial Institutions: For financial privacy concerns. Phone: 614-728-8400. Address: 77 S. High Street, 21st Floor, Columbus, OH 43215.
Ohio Bureau of Criminal Investigation: For criminal record challenges and corrections. Phone: 740-845-2406. Address: P.O. Box 365, London, OH 43140.
Ohio Department of Health: For health privacy violations by state-regulated entities. Phone: 614-466-3543. Address: 246 North High Street, Columbus, OH 43215.
Additional Protective Measures
Register for Ohio's Address Confidentiality Program if you're a victim of domestic violence, stalking, human trafficking, or certain other crimes. Contact the Ohio Secretary of State's Office at 614-466-2585 or visit ohiosos.gov for application information. Consider placing fraud alerts on credit reports, which require creditors to verify identity before extending credit. Review privacy settings on social media accounts and limit public information. Use strong, unique passwords and enable two-factor authentication on all online accounts containing personal information.
Ohio Data Breach Notification Requirements
Ohio's data breach notification law, codified in Ohio Revised Code §1349.19 and §1349.191, establishes specific obligations for entities that experience security breaches compromising Ohio residents' personal information.
Who Must Notify
Any person or business that "owns or licenses" computerized data containing personal information about Ohio residents must provide notification following a breach of security. This applies regardless of whether the entity is located in Ohio—out-of-state companies maintaining data about Ohio residents must comply. Third-party service providers that maintain data on behalf of other businesses must notify the data owner, who then bears responsibility for notifying affected individuals.
What Triggers Notification
A "breach of security" under §1349.19(A)(1) means unauthorized access to or acquisition of computerized data that compromises the security or confidentiality of personal information. "Personal information" is defined as an individual's name (first name or initial and last name) combined with and linked to one or more of the following: Social Security number, driver's license number or state identification card number, or account number, credit card number, or debit card number with required security code, access code, or password that would permit access to an individual's financial account.
The law includes a harm threshold: notification is not required if, after reasonable investigation, the entity determines that misuse of the information has not and will not occur. This determination must be documented.
Notification Timeframe
Entities must provide notice "in the most expedient time possible and without unreasonable delay." While the statute does not specify an exact number of days, Ohio courts and the Attorney General interpret this to mean notification should occur as soon as the entity completes investigation to determine the scope of the breach and has consulted with law enforcement. Delays are permitted only to accommodate legitimate law enforcement needs or to determine the scope of the breach and restore system integrity. Most entities provide notification within 30-45 days of discovering the breach.
Method of Notification
Notice must be provided by one of the following methods: written notice to the individual's last known address; telephone notice; or email notice if the entity's primary method of communication with the individual is email. If the cost of providing notice would exceed $250,000, the affected class exceeds 500,000 persons, or the entity does not have sufficient contact information, substitute notice is permitted through conspicuous website posting and notification to major statewide media.
Content of Notification
The notification must include a description of the breach in general terms, the type of personal information compromised, general steps the entity has taken to protect the information from further unauthorized access, telephone number or website where individuals can obtain additional information, and advice to remain vigilant by reviewing account statements and monitoring credit reports.
Consumer Reporting Agency Notification
If the breach affects more than 1,000 Ohio residents, the entity must also notify, without unreasonable delay, all consumer reporting agencies of the timing, distribution, and content of the notice to affected individuals.
Penalties and Enforcement
The Ohio Attorney General has authority to enforce the data breach notification law. Violations constitute deceptive trade practices under the Ohio Consumer Sales Practices Act, subjecting violators to civil penalties up to $5,000 per violation for initial offenses and up to $10,000 for subsequent violations. The Attorney General can also seek injunctive relief and restitution for affected consumers. Additionally, affected individuals may have private causes of action for damages resulting from failure to provide proper notification.
Children's Privacy in Ohio
Children's personal information receives special protection under both federal and Ohio state law, recognizing minors' particular vulnerability to privacy invasions and their limited ability to consent to data collection.
COPPA Compliance in Ohio
The Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §6501-6506, applies to operators of websites and online services directed at children under 13 or that have actual knowledge they are collecting information from children under 13. Ohio-based companies and websites accessible to Ohio children must comply with COPPA's requirements: posting clear privacy policies, obtaining verifiable parental consent before collecting personal information from children, giving parents access to their children's information, allowing parents to revoke consent and delete information, and maintaining reasonable data security.
The Federal Trade Commission enforces COPPA and has brought actions against numerous companies, including some with Ohio operations, resulting in substantial penalties for violations.
Ohio-Specific Child Privacy Protections
Ohio Revised Code §2151.142 protects the confidentiality of juvenile court records, limiting disclosure of information about children involved in delinquency, abuse, neglect, and dependency proceedings. These records are not public records under the Ohio Public Records Act and can only be accessed by parties to the case, attorneys, and others specifically authorized by statute or court order.
Ohio Revised Code §3319.321 restricts disclosure of student personal information by public schools and educational institutions, implementing and extending federal FERPA protections. Ohio schools must obtain parental consent before releasing student records except in specific circumstances permitted by law.
FERPA Application in Ohio
The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232g, protects student education records in Ohio schools that receive federal funding (virtually all public schools and most private schools). Parents have the right to inspect and review their child's education records, request amendments to inaccurate records, and control disclosure of personally identifiable information from the records.
Ohio schools must provide annual notification of FERPA rights and obtain written consent before disclosing education records, with exceptions for school officials with legitimate educational interests, other schools to which the student is transferring, specified federal and state authorities, and certain other limited circumstances. Ohio parents can file complaints about FERPA violations with the U.S. Department of Education's Family Policy Compliance Office.
Ohio educational institutions must also comply with Ohio Revised Code §3319.321, which requires written policies on student records and prohibits disclosure without parental consent except as permitted by state and federal law. The Ohio Department of Education provides guidance to schools on maintaining compliance with both FERPA and state privacy requirements.
Frequently Asked Questions About Privacy Rights in Ohio
1. Does Ohio have a comprehensive consumer data privacy law like California's CCPA?
No, Ohio has not enacted a comprehensive consumer data privacy law. Unlike California, Virginia, Colorado, and other states with omnibus privacy legislation, Ohio's privacy protections come from sector-specific laws addressing particular industries or data types. Ohio residents lack broad rights to access, delete, or opt out of sale of their personal information that residents of comprehensive privacy law states enjoy. However, Ohio has data breach notification requirements, specific financial and health privacy protections, and the Ohio Data Protection Act, which incentivizes businesses to implement cybersecurity programs.
2. How do I access my criminal record in Ohio, and can I get it sealed?
Ohio residents can request their criminal history from the Ohio Bureau of Criminal Investigation by submitting a WebCheck request at ohioattorneygeneral.gov/webcheck or by mailing BCI Form 1001 with fingerprints and a $22 fee to P.O. Box 365, London, OH 43140. For court records, contact the clerk of courts in the county where the case was adjudicated. You may be eligible to seal your record under Ohio Revised Code §2953.32 if you have an eligible offense (most misdemeanors and fourth- and fifth-degree felonies), have completed all sentences and waiting periods (one year for eligible misdemeanors and certain felonies, three years for third-degree felonies), and have no pending cases or recent convictions. File a sealing application with the court that handled your case. First- and second-degree felonies and violent offenses are generally not eligible for sealing.
3. What should I do if I receive a data breach notification letter from a company?
Take the notification seriously and act promptly. Review the letter carefully to understand what information was compromised and what services the company is offering (such as free credit monitoring). Immediately change passwords for any affected accounts and enable two-factor authentication. Place a fraud alert on your credit reports by contacting one of the three major credit bureaus (the bureau you contact must notify the other two). Consider placing a credit freeze for more comprehensive protection. Monitor your financial accounts and credit reports closely for suspicious activity. Keep the notification letter and document all steps you take. If you notice fraudulent activity, report it to local law enforcement and file an identity theft report at IdentityTheft.gov. You can also file a complaint with the Ohio Attorney General's Consumer Protection Section at 1-800-282-0515.
4. Can my employer in Ohio monitor my personal social media accounts?
Ohio Revised Code §4113.23 prohibits employers from requiring employees or applicants to disclose passwords to personal social media accounts or requiring them to add the employer or supervisors to their contact lists. Employers cannot discipline, discharge, or retaliate against employees who refuse such demands. However, this protection has limitations: it does not prevent employers from viewing publicly available social media content, monitoring accounts or devices provided by the employer, or requesting access to accounts created for business purposes. Employers can also enforce policies prohibiting employees from posting certain content (such as confidential business information) and can discipline employees for posts that violate legitimate workplace policies. If your employer violates the social media privacy law, document the violation and consult an employment attorney or file a complaint with the Ohio Civil Rights Commission.
5. How long does a public office in Ohio have to respond to my public records request?
Ohio Revised Code §149.43 requires public offices to make records available "within a reasonable period of time" but does not specify an exact number of days. What constitutes "reasonable" depends on factors including the volume of records requested, whether records must be redacted, and the office's resources. For simple requests, courts have found a few days to be reasonable. For complex or voluminous requests, several weeks may be acceptable. The public office should acknowledge your request promptly and provide an estimated timeframe if immediate production is not possible. If a public office fails to respond within what you believe is a reasonable time, contact the office to inquire about the status. If you believe the office is improperly withholding records, you can file a mandamus action in the Ohio Court of Common Pleas under §149.43(C) to compel disclosure. You can also file a complaint with the Ohio Attorney General's Office, though the Attorney General has limited enforcement authority in public records disputes.
6. Are there specific Ohio laws protecting my medical information beyond HIPAA?
Yes, Ohio provides several health privacy protections that supplement federal HIPAA requirements. Ohio Revised Code §3701.243 establishes enhanced confidentiality for HIV/AIDS test results and