New Data Breach Notification Requirements in Oklahoma
Oklahoma has enacted a bill that amends its data breach notification statute. The definition of personal information warranting notifications has been broadened, and the state Attorney General must be notified about any breach of the personal information of 500 or more state residents, or 1,000 or more residents for a breach of credit bureau systems.
Individual notifications must be issued without unreasonable delay, and the state Attorney General must be notified within 60 days of individual notifications being mailed. The Attorney General must be informed of the date of the breach, the date it was determined that a data breach had occurred, the nature of the breach, the type(s) of information exposed or stolen, the number of state residents affected, any reasonable safeguards that the entity has implemented, and the estimated monetary impact of the breach, if it can be determined.
Entities that are compliant with the Health Insurance Portability and Accountability Act (HIPAA), the Oklahoma Hospital Cybersecurity Protection Act, and/or the Gramm-Leach-Bliley Act (GBLA) will be deemed to be compliant with the new data breach notification requirements provided that notify the state Attorney General about any breach of personal information within 60 days of issuing individual notifications.
Notifications are required when there has been a breach of unencrypted computerized personal information, which is an individual’s first name or first initial and last name in combination with one or more of the following: Social Security number, driver’s license number, other unique identification number created or collected by a government entity, financial information (financial account or debit/credit card number when combined with an expiration date, security code, access code, or password that would permit access).
The update adds the following other types of information to the list:
- Unique electronic identifier or routing code plus a required security code, access code, or password that permits access to a financial account.
- Unique biometric data (e.g., fingerprint, retina or iris image, or other unique physical or digital representation of biometric data to authenticate a specific individual).
If the cost of notification exceeds $50,000, or if sufficient contact information is not held to allow notifications to be issued, then a substitute notice is acceptable, which can be an email notice (if email addresses are held), a conspicuous posting on the breached entity’s website (if a website is owned), and a notice to statewide media. Two of those three options are required to meet the substitute notice requirements.
Entities will be shielded from civil monetary penalties, which are up to $150,000 per breach, if they employ “reasonable safeguards” and issue breach notifications. Reasonable safeguards are defined as “policies and practices that ensure personal information is secure, taking into consideration an entity’s size and the type and amount of personal information.” These can include risk assessments, technical and physical layered defenses, employee training on secure data handling, and having an incident response plan. The new law, as implemented by Senate Bill 626, will take effect on January 1, 2026.
