(A) The agency shall take reasonable precautions to protect personal information in the system from unauthorized modification, destruction, use, or disclosure of personal information. In determining what is reasonable, consideration shall be given to the following:
(1) The nature and vulnerability of the personal information.
(2) The physical facilities where the personal information is maintained or used.
(3) The need for and feasibility of keeping personal information in a secure place, considering paragraphs (A)(1) and (A)(2) of this rule, the cost of providing a secure place and the need for access to the place where information is kept by personnel of the agency and/or the general public.
(B) The agency shall adopt, implement and enforce a security plan for the protection of personal information. This plan shall include the following:
(1) A statement of the security precautions for each personal information system determined appropriate from the analysis conducted in accordance with paragraph (A) of this rule.
(2) A method of informing agency employees concerning appropriate and inappropriate uses, disclosure and access to the personal information, as well as penalties and sanctions, civil or criminal, for the unlawful use or disclosure of personal information and the failure to take reasonable precautions to protect the security of personal information.
(3) A method for reporting violations of the security plan to responsible officials or employees of the agency.
(4) A method for monitoring the effectiveness of the security plan.
A copy of the security plan shall be kept in the office of the privacy officer.
(C) The agency may require a background investigation of any individual who has access to confidential personal information or to computer equipment used to process such information.
(D) The requirements of Chapter 1347. of the Revised Code and of Chapter 3353-1 of the Administrative Code shall apply to personal information stored, processed, or disseminated under contract with the agency by any contractor. Any such contract shall contain covenants that the contractor will:
(1) Use the information only as specified in the contract,
(2) Not disclose information except with the express permission of the agency, and
(3) Protect the security of the information.
This paragraph shall apply only to contracts entered into after the effective date of this rule.