North Dakota Notice of Security Breach for Personal Information
N.D. Cent. Code § 51-30-01, et seq.
SUMMARY:
EFFECTIVE. June 1, 2005
WHO DOES THIS LAW APPLY TO. (1) Any person or entity that conducts business in North Dakota and owns or licenses computerized data that includes Personal Information; and (2) any person or entity that maintains computerized data that includes Personal Information.
WHAT IS A BREACH. Unauthorized acquisition of computerized data when Personal Information has not been secured by encryption or other method that renders it unreadable or unusable.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data element is not encrypted:
-
Social Security Number.
-
Driver’s license number or non-driver identification card number.
-
Account number, credit card, or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
-
Date of birth.
-
Mother’s maiden name.
-
Employer identification number.
-
Digitized or electronic signature.
-
Medical information includes any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
-
Health insurance information includes health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
Personal Information does not include publicly available information lawfully obtained from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the state residents affected. If more than 250 individuals are affected, notice must be sent via mail or email to the Attorney General.
EXCEPTION. This Section does not apply to the following:
-
A Good faith acquisition of Personal Information by an employee or agent of the owner for internal purposes only is not a breach, if it is not used subject to further unauthorized disclosure.
-
A person or business which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected individuals are notified by the person or business in accordance with its policies.
-
A financial institution, trust company, or credit union that is subject to and in compliance with the Federal interagency guidance on response programs for a security breach, is considered in compliance with this Section.
-
An entity, business associate or subcontractor that is subject to the breach notification requirements of 45 C.F.R. Part 164, Subpart D (Notification in the Case of Breach of Unsecured Protected Health Information), is considered to be in compliance with this chapter.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person or business discovers an incident of unauthorized acquisition. The disclosure shall be made in the most expedient manner possible and without unreasonable delay, consistent with the needs of law enforcement, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Notification may be delayed if law enforcement determines it will impede a criminal investigation. In that instance, notification will be made following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Electronic (if notice is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person or business can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person or business has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person or business if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person or business maintains computerized data which includes Personal Information that it does not own, then the person or business shall notify the owner or licensee of a breach immediately upon discovery. The person or business that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. The State Attorney General may bring an action under Chapter 51-15 to:
-
Obtain a court order to prohibit any further violations by the person or business.
-
Recover fees and costs for investigating and prosecuting the action.
-
Impose a penalty of up to $5,000 per violation to be paid to the State.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. None.
LEGISLATIVE UPDATES.
S.B. 2251 – Signed into law on 4/22/2005, Effective 6/1/2005.
H.B. 1435 – Signed into law on 4/18/2013, Effective 4/20/2013.
S.B. 2214 – Signed into law on 4/13/2015, Effective 8/1/2015.
For more information, see here: https://www.ndlegis.gov/cencode/t51c30.html
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.