OH HB432

Creates new section 125.184 requiring the state chief information officer to conduct biennial examinations of each state agency to assess breach of security risks and deliver confidential reports identifying unacceptable risks with mitigation recommendations.

State agencies receiving risk assessment reports must mitigate all identified unacceptable risks to acceptable levels.

Requires state agencies and political subdivision agencies to disclose data breaches to affected residents within 45 days of discovery if unauthorized access causes material risk of identity theft or fraud.

Mandates state agencies provide affected residents with three years of free credit monitoring following a breach disclosure.

Allows breaches affecting over 1,000 residents to notify nationwide consumer reporting agencies, and permits the Ohio Attorney General to investigate and sue for non-compliance.