(A) For the purposes of this rule:
(1) "Cybersecurity incident" means a cybersecurity event that has been determined to have an impact on the employer prompting the need for response and recovery. This may include ransomware that may place a retirement system member's personal data at risk or an employer business email compromise that may place a retirement system member's personal data at risk.
(2) "Personal data" means full legal name, date of birth, home address, email address, social security number, driver's license number, state identification card number, retirement system account username, retirement system account password, record of contributions or financial account numbers.
(B) Within seventy-two hours of discovery of a cybersecurity incident, an employer shall provide notification of the cybersecurity incident to the retirement system by telephone or email. Notification shall be sent to employer reporting personnel at 888-535-4050 or report@strsoh.org. The employer shall also provide the following information within seventy-two hours of discovery of a cybersecurity incident:
(1) The date and time of the discovery of the cybersecurity incident.
(2) The name of the employer cybersecurity incident representative and contact information.
(C) The employer shall provide the following information to employer reporting regarding a cybersecurity incident within a reasonable period of time:
(1) Date and time of the cybersecurity incident.
(2) Nature of the cybersecurity incident, including any potential impact on retirement system member's personal data or email communications from employer.
(3) Description of personal data involved in the cybersecurity incident.
(4) Employer action taken to mitigate the cybersecurity incident and secure compromised systems.
Last updated May 10, 2025 at 8:06 AM