Ohio § 3965.07 Exemptions

Ohio Statutes

§ 3965.07 — Exemptions

Ohio § 3965.07

Title 39Insurance

Ch. 3965Cybersecurity Requirements For Insurance Companies

This text of Ohio § 3965.07 (Exemptions) is published on Counsel Stack Legal Research, covering Ohio primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook

Ohio Rev. Code Ann. § 3965.07 (2026).

Text

(A)A licensee is exempt from the requirements of section3965.02of the Revised Code if it meets any of the following criteria:

(1)The licensee has fewer than twenty employees.

(2)The licensee has less than five million dollars in gross annual revenue.

(3)The licensee has less than ten million dollars in assets, measured at the end of the licensee's fiscal year.

(B)(1) A licensee subject to and in compliance with the privacy and security rules of 45 C.F.R. Parts 160 and 164 shall be deemed to meet the requirements of this chapter, except those pertaining to notification under section3965.04of the Revised Code. The licensee shall submit a written statement to the superintendent certifying its compliance with 45 C.F.R. Parts 160 and 164. The information furnished by a licensee pursuant

Free access — add to your briefcase to read the full text and ask questions with AI

(A) A licensee is exempt from the requirements of section3965.02of the Revised Code if it meets any of the following criteria:

(1) The licensee has fewer than twenty employees.

(2) The licensee has less than five million dollars in gross annual revenue.

(3) The licensee has less than ten million dollars in assets, measured at the end of the licensee's fiscal year.

(B)(1) A licensee subject to and in compliance with the privacy and security rules of 45 C.F.R. Parts 160 and 164 shall be deemed to meet the requirements of this chapter, except those pertaining to notification under section3965.04of the Revised Code. The licensee shall submit a written statement to the superintendent certifying its compliance with 45 C.F.R. Parts 160 and 164. The information furnished by a licensee pursuant to section3965.04of the Revised Code shall be confidential in accordance with section3965.06of the Revised Code.

Each licensee shall maintain for examination by the superintendent all records, schedules, and data supporting the certificate of compliance for a period of five years. To the extent an insurer has identified areas, systems, or processes that require material improvement, updating, or redesign, the insurer shall document the identification and the remedial efforts planned and underway to address such areas, systems, or processes. Such documentation shall be available for inspection by the department.

(2) Notwithstanding any other provision of this chapter, a licensee subject to HIPAA shall comply with the requirements of any subsequent amendments to HIPAA in the timeframe established in the applicable amendments to HIPAA.

(C) An employee, agent, representative, independent contractor, or designee of a licensee, who is also a licensee, is exempt from section3965.02of the Revised Code and need not develop its own information security program to the extent that the employee, agent, representative, independent contractor, or designee is covered by the information security program of the other licensee.

(D) If a licensee ceases to qualify for an exemption, the licensee shall have one hundred eighty days after the date it ceases to qualify to comply with this chapter.