Ohio Rev. Code Ann. § 3965.04
(A) Each licensee shall notify the superintendent of insurance as promptly as possible after a determination that a cybersecurity event involving nonpublic information in the possession of the licensee has occurred, but in no event later than three business days after that determination, when either of the following criteria has been met:
(1) Both of the following apply:
(2) The licensee reasonably believes that the nonpublic information involved relates to two hundred fifty or more consumers residing in this state and the cybersecurity event is either of the following:
(b) A cybersecurity event that has a reasonable likelihood of materially harming either of the following:
(B)
(1) In providing the notification described in division (A) of this section, the licensee shall provide as much of the following information as possible:
(D)
(E)
(1) In the case of a cybersecurity event involving nonpublic information that is used by or in the possession, custody, or control of a licensee that is acting as an assuming insurer, including an assuming insurer that is domiciled in another state or jurisdiction, and that does not have a direct contractual relationship with the affected consumers, both of the following apply:
(2) In the case of a cybersecurity event involving nonpublic information that is in the possession, custody, or control of a licensee's third-party service provider, when the licensee is acting as an assuming insurer, including an assuming insurer that is domiciled in another state or jurisdiction, both of the following apply: