Oklahoma Security Breach Notification Act
24 OK Stat § 24-161 - § 24-166
SUMMARY:
EFFECTIVE. November 1, 2008
WHO DOES THIS LAW APPLY TO. (1) Any person, business or State agency that owns or licenses computerized data that includes Personal Information; and (2) any person, business or State agency that maintains computerized data which includes Personal Information.
WHAT IS A BREACH. Unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, integrity or confidentiality of Personal Information maintained by a person, business or State agency that causes, or is likely to cause, identity theft or other fraud to any State resident. Good faith acquisition of Personal Information by an employee or agent for internal purposes only is not a breach, if it is not used unlawfully or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with, and linked to, any one or more of the following data elements, when the name or data element is not encrypted or redacted:
-
Social Security Number.
-
Driver’s license number or State identification number.
-
Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
Personal Information does not include publicly available information, or information that is lawfully obtained from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the affected Oklahoma residents.
EXCEPTION. This Section does not apply to the following:
-
A person, business or State agency which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected individuals are notified by the person, business or agency in accordance with its policies.
-
A financial institution that complies with the notice requirements required by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, is considered in compliance with this Section.
-
A person or business that complies with the notification requirements or rules established by their primary or functional Federal regulator is considered in compliance with this Section.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person, business or State agency discovers or is notified of an incident of unauthorized acquisition. The disclosure shall be made in the most expedient manner possible and without unreasonable delay, consistent with the needs of law enforcement, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Notification may be delayed if a law enforcement agency determines and advises it will impede a criminal or civil investigation or national security. In that instance, notification will be made as soon as possible following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Telephonic.
-
Electronic (if it is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person or business can demonstrate that the cost of providing notice will exceed $50,000, the affected class of persons to be notified exceeds 100,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person or business has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person or business if one is maintained.
-
Notification to major statewide media.
If a State agency can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the agency has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the agency has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the agency’s website if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person, business, or State agency maintains computerized data that includes Personal Information that it does not own or license, then it shall notify the owner or licensee of any breach immediately following discovery. The person, business or agency that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. The State Attorney General or district attorney shall have exclusive authority to enforce violations to this Section by a person or business that results in injury or loss to Oklahoma residents, under the Oklahoma Consumer Protection Act. Penalties include actual damages of up to $150,000 per breach. Violations of this Section by a State-chartered or licensed financial institution will be exclusively enforced by the primary State regulator.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. None.
LEGISLATIVE UPDATES.
H.B. 2245 – Signed into law on 4/28/2008, Effective 11/1/2008.
For more information, see here: http://www.oklegislature.gov/osstatuestitle.html
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.