There is a newer version of this Section
2023
2022
2021
2020
2019 (you are here)
Other previous versions
View our newest version here

2019 Ohio Revised Code
Title [39] XXXIX INSURANCE
Chapter 3965 - CYBERSECURITY REQUIREMENTS FOR INSURANCE COMPANIES
Section 3965.07 - Exemptions.

Universal Citation: Ohio Rev Code § 3965.07 (2019)
Previous Next

(A) A licensee is exempt from the requirements of section 3965.02 of the Revised Code if it meets any of the following criteria:

(1) The licensee has fewer than twenty employees.

(2) The licensee has less than five million dollars in gross annual revenue.

(3) The licensee has less than ten million dollars in assets, measured at the end of the licensee's fiscal year.

(B)

(1) A licensee subject to and in compliance with the privacy and security rules of 45 C.F.R. Parts 160 and 164 shall be deemed to meet the requirements of this chapter, except those pertaining to notification under section 3965.04 of the Revised Code. The licensee shall submit a written statement to the superintendent certifying its compliance with 45 C.F.R. Parts 160 and 164. The information furnished by a licensee pursuant to section 3965.04 of the Revised Code shall be confidential in accordance with section 3965.06 of the Revised Code.

Each licensee shall maintain for examination by the superintendent all records, schedules, and data supporting the certificate of compliance for a period of five years. To the extent an insurer has identified areas, systems, or processes that require material improvement, updating, or redesign, the insurer shall document the identification and the remedial efforts planned and underway to address such areas, systems, or processes. Such documentation shall be available for inspection by the department.

(2) Notwithstanding any other provision of this chapter, a licensee subject to HIPAA shall comply with the requirements of any subsequent amendments to HIPAA in the timeframe established in the applicable amendments to HIPAA.

(C) An employee, agent, representative, independent contractor, or designee of a licensee, who is also a licensee, is exempt from section 3965.02 of the Revised Code and need not develop its own information security program to the extent that the employee, agent, representative, independent contractor, or designee is covered by the information security program of the other licensee.

(D) If a licensee ceases to qualify for an exemption, the licensee shall have one hundred eighty days after the date it ceases to qualify to comply with this chapter.

Added by 132nd General Assembly File No. TBD, SB 273, §1, eff. 3/20/2019.

Previous Next
Disclaimer: These codes may not be the most recent version. Ohio may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.