The Ohio Open Records Law is contained in Section 149.43 of the Ohio Revised Code. The law describes what records are available, what agencies are covered, what fees can be charged, who can ask for records, and so on. All records “kept by any public office,” as well as records of both nonprofit and for-profit private schools, are covered.
Ohio Rev. Code. Ann 149.43
Sanctions for Noncompliance
The act provides fixed statutory damages of $100 per business day for non-compliance with a request, so long as the request is delivered by hand-delivery or certified mail. Ohio Rev. Code § 149.43(C); See, e.g., State ex rel. DiFranco v. S. Euclid, 138 Ohio St. 3d 367, 374, 7 N.E.3d 1136, 1142, 2014-Ohio-538, ¶ 28.
Statutory damages are not punitive, but instead represent the presumptive injury suffered by a requester for lost use of the requested records—due to the public office’s delay in providing them.
A requester’s eligibility for statutory damages does not begin until the day that a requester sues, so that is the first day that the public office could be liable for the $100-a-day damages. The most in statutory damages that a requester can recover for the public office’s delay in providing the requested records is $1,000.
“Stacking” of statutory damages for “essentially the same records request” is not allowed, as “no windfall is conferred by the statute.” State ex rel. Dehler v. Kelly, 127 Ohio St.3d 309, 939 N.E.2d 828, 2010-Ohio-5724.
The statute authorizes a reviewing court to reduce statutory damages in whole or in part if it finds a person well-informed about the state of the law would conclude that the public office was complying with the current state of the law, and that nondisclosure furthered the public policy underlying whatever authority the public office relied upon in denying access to the records. Ohio Rev. Code § 149.43(C)(1).
The statute authorizes courts to award reasonable attorneys’ fees to a prevailing requester, but that award is discretionary with the court in most instances. Ohio Rev. Code § 149.43(C)(3). The court must award attorneys’ fees only where the public office ignores a request without responding at all, or where the office promises to provide the requested records within a specified period of time, but breaks that promise. Ohio Rev. Code § 149.43(C)(3).
A successful litigant is not entitled to attorney fees when the work is done by in-house counsel who did not receive any compensation beyond counsel’s regular salary. State ex rel. Beacon Journal Publ’g Co. v. Akron, 104 Ohio St. 3d 399, 819 N.E.2d 1087, 2004-Ohio-6557.
Since 2006, FOIA lawsuits have increased 57% and the cost of defending these lawsuits is millions of dollars.
With Evertel, we provide an efficient, proven, and effective manner to share FOIA documents to those requesting. Once your legal experts provide the policy, the executives auditing your agency’s platform can immediately release the approved documents in minutes, avoiding multi-year litigations and expensive legal costs.
The Federal Bureau of Investigation’s CJIS Security Policy sets the minimum security requirements to provide an acceptable level of assurance to protect the full lifecycle of Criminal Justice Information. Agencies using cloud-based services are required to make informed decisions on whether or not the cloud provider can offer services that maintain compliance with the requirements of the CJIS Security Policy.
The CJIS Security Policy integrates presidential and FBI directives, federal laws, and the criminal justice community’s Advisory Policy Board decisions, along with guidance from the National Institute of Standards and Technology (NIST). The Policy is periodically updated to reflect evolving security requirements.
The CJIS Security Policy defines 13 areas that private contractors such as cloud service providers must evaluate to determine if their use of cloud services can be consistent with CJIS requirements. These areas correspond closely to NIST 800-53, which is also the basis for the Federal Risk and Authorization Management Program (FedRAMP) program.
The key agency requirements of CJIS compliance are summarized here:
Evertel signs the CJIS Security Addendum in states with CJIS Information Agreements. These tell state law enforcement authorities responsible for compliance with CJIS Security Policy how Evertel’s cloud security controls help protect the full lifecycle of data and ensure appropriate background screening of operating personnel with access to CJI. Evertel continues to work with state governments to enter into CJIS Information Agreements.
It is important to note upfront that HIPAA compliance requirements are primarily focused on health providers. Having said that, government agencies, and in particular 1st Responders, are typically transmitting HIPAA data daily and in non-compliant fashions. In today’s litigious world, it makes sense to comply with HIPAA requirements and remove or minimize the risk.
HIPAA violations are expensive. The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time.
Fines increase with the number of patients and the amount of neglect. The lowest fines start with a breach where you didn’t know and, by exercising reasonable diligence, would not have known that you violated a provision. At the other end of the spectrum are fines levied where a breach is due to negligence and not corrected in 30 days. In legalese, this is known as mens rea (state of mind). So fines increase in severity from no mens rea (didn’t know) to assumed mens rea (willful neglect).
The fines and charges are broken down into 2 major categories: Reasonable Cause and Willful Neglect. Reasonable Cause ranges from $100 to $50,000 per incident and does not involve any jail time. Willful Neglect ranges from $10,000 to $50,000 for each incident and can result in criminal charges.
While encryption is an addressable (rather than required) specification, it does not mean optional. The vast majority of data breaches are due to stolen or lost data that was unencrypted. When in doubt, you should implement the addressable implementation specifications of the Security Rule. Most of them are best practices.
Breaches can occur when employees lose unencrypted portable devices, mistakenly send PHI to vendors who post that information online and disclose personally identifiable, sensitive information on social networks.
These are all examples from actual cases. Employee training and adherence to security policies and procedures are extremely important.
Almost half of all data breaches are the result of theft. When laptops, smartphones, etc. are unencrypted the risk of a breach increases considerably. With Evertel, your data is safely stored off-premise; so that a lost or stolen mobile phone or laptop has no data on it and hence and no PHI is compromised.
No obligation 30-day free trial