(A) The bureau shall take reasonable precautions to protect personal information in the system from unauthorized modification, destruction, or disclosure of personal information. In determining what is reasonable, consideration shall be given to the following:
(1) The nature and vulnerability of the personal information.
(2) The physical facilities where the personal information is maintained or used.
(3) The need for the feasibility of keeping personal information in a secure place, considering paragraphs (A)(1) and (A)(2) of this rule, the cost of providing a secure place and the need for access to the place where information is kept by personnel of the agency and the general public.
(B) The bureau shall adopt, implement and enforce a security plan for the protection of personal information. This plan shall include the following:
(1) A statement of the security precautions for each personal information system determined appropriate from the analysis conducted in accordance with paragraph (A) of this rule. When electronic data processing equipment is used, the requirements of rule 123:3-1-01 of the Administrative Code shall be included in the statement of security precautions.
(2) A method of informing agency employees concerning appropriate and inappropriate uses, disclosure and access to the personal information as well as penalties and sanctions, civil or criminal, for the unlawful use or disclosure of personal information and the failure to take reasonable precautions to protect the security of personal information.
(3) A method for reporting violations of the security plan to responsible officials or employees of the agency.
(4) A method for monitoring the effectiveness of the security plan.
A copy of the security plan shall be kept in the office of the privacy officer.
(C) The bureau may require a background investigation of any individual who has access to confidential personal information or to computer equipment used to process such information.
(D) The requirements of Chapter 1347. of the Revised Code and of Chapter 4123-16 of the Administrative Code shall apply to personal information stored, processed, or disseminated under contract with the bureau by any contractor. Any such contract shall contain covenants that the contract will:
(1) Use the information only as specified in the contract;
(2) Not disclose information except with the express permission of the bureau; and
(3) Protect the security of the information.
This paragraph shall apply only to contracts entered into after the effective date of Chapter 4123-16 of the Administrative Code.