North Dakota

Data Breach Notification Statue

Highlights

Covered Entities: Individuals, businesses, and other entities that own, license, or maintain personal information.

Consumer Notification: Notification must be provided to any North Dakota resident “if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”

Regulatory Notification: Notification must be provided to the North Dakota Attorney General where more than 250 North Dakota residents are required to be notified of a breach.

Notification Timeline: Notification must be provided in the most expedient time possible and without unreasonable delay.

Data Format: Electronic.

Citations: N.D. Cent. Code §§ 51-30-01 et seq.

More Details

Definitions:

  • Breach: Unauthorized acquisition of computerized data when access to personal information has not been secured by encryption or by any other method or technology that renders the electronic files, media, or databases unreadable or unusable.
  • Personal information (PI):
    • An individual’s first name / first initial and last name or first initial and last name in combination with one or more of the following data elements, when the name and the data elements are not encrypted:
      • The individual's Social Security number;
      • The operator’s license number assigned to an individual by the department of transportation;
      • A non-driver color photo identification card number assigned to the individual by the department of transportation;
      • The individual's financial institution account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial accounts;
      • The individual’s date of birth;
      • The maiden name of the individual’s mother;
      • Medical information;
      • Health insurance information;
      • An identification number assigned to the individual by the individual’s employer in combination with any required security code, access code, or password; or
      • The individual’s digitized or other electronic signature.
    • PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
  • Medical Information: “Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.”
  • Health Insurance Information: “An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.”

Safe Harbors:

  • Encryption: Notification is not required where the potentially impacted PI was encrypted.
  • Good Faith: Notification is not required where the potentially impacted PI was acquired in good faith by an employee or agent, for the purposes of the relevant person, business, or agency and the PI is not used or subject to further unauthorized disclosure.
  • Risk of Harm: N/A
  • Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required must be made after the law enforcement agency determines that the notification will not compromise the investigation.

Direct Notice:

  • Timing: Notification must be provided in the most expedient time possible and without unreasonable delay, consistent with measures necessary to determine the scope of the breach and restore the integrity of the system.
  • Format: N/A
  • Content: N/A
  • Method: Written, electronic (consistent with E-SIGN Act), or substitute notice (where appropriate).

Substitute Notice:

An entity may provide substitute notice if it can show one of the following: (1) the cost of providing notice would exceed $250,000, or (2) the notification population exceeds 500,000, or (3) the entity does not have sufficient contact information. Substitute notice must include: (1) Electronic notice, where an email address is available; (2) conspicuous posting on the entity’s webpage, if one is maintained; and (3) notice to major statewide media.

Remediation Services:

N/A

Regulatory Notice:

Notification must be provided to the North Dakota Attorney General where more than 250 North Dakota residents are required to be notified of a breach. The notice to the Attorney General must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and to restore the integrity of the data system.

Credit Reporting Agencies Notice:

N/A

Third-Party Notice:

Any person that maintains computerized data that includes PI that the person does not own shall notify the owner or licensee of the information of the breach of the security of the data immediately following the discovery, if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.

HIPAA:

N/A

Private Action:

N/A

Associated Regulations:

  • Insurance Data Security (N.D. Cent. Code §§ 26.1-02.2-01 to 26.1-02.2-11)

Insurance Data Security Statute

Highlights

Covered Entities (Licensee): Any person licensed, authorized to operate, registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state. The term does not include a purchasing group or a risk retention group chartered and licensed in another state or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

Security Standard: Commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including the licensee's use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control, each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system.

Consumer Notification: Notification must be provided to any North Dakota resident “if the personal information, was or is reasonably believed to have been, acquired by an unauthorized person.” A licensee shall comply with N.D. C.C. §§ 51-30-02, as applicable.

Regulatory Notification: A licensee shall notify the commissioner as promptly as possible, but no later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the criteria referenced below have been met.

Consumer Notification Timeline: A licensee shall comply with N.D. C.C. §§ 51-30-02, as applicable.

Citations: N.D.C.C. §§ 26.1-02.2-01 to 26.1-02.2-11

More Details

Definitions:

  • Consumer: An individual, including an applicant, policyholder, insured, beneficiary, claimant, and certificate holder, who is a resident of this state and whose nonpublic information is in a licensee's possession, custody, or control.
  • Cybersecurity Event: An event resulting in unauthorized access to, disruption, or misuse of, an information system or nonpublic information stored on the information system. The term does not include: the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization; or an event the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
  • Nonpublic Information: Electronic information that is not publicly available information and is:
    • Any information concerning a consumer which can be used to identify the consumer because of name, number, personal mark, or other identifier in combination with any one or more of the following data elements:
      • Social Security number;
      • Driver’s license number or nondriver identification card number;
      • Financial account number or credit or debit card number;
      • Any security code, access code, or password that would permit access to a consumer's financial account; or
      • Biometric records.
    • Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer which can be used to identify a particular consumer and relates to:
      • The past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer's family;
      • The provision of health care to any consumer; or
      • Payment for the provision of health care to any consumer.

Regulatory Notice:

A licensee shall notify the commissioner as promptly as possible, but no later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the following criteria has been met:

  • This state is the licensee's state of domicile, in the case of an insurer, or this state is the licensee's home state, in the case of a producer as defined in chapter 26.1-26, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing in this state or reasonable likelihood of materially harming any material part of the normal operations of the licensee; or
  • The licensee reasonably believes the nonpublic information involved is of 250 or more consumers residing in this state and is:
    • A cybersecurity event impacting the licensee for which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body pursuant to any state or federal law; or
    • A cybersecurity event that has a reasonable likelihood of materially harming any consumer residing in this state or materially harming any part of the normal operations of the licensee.

Content Requirements:

The licensee shall provide the notice required under this section in electronic form as directed by the commissioner. The licensee shall update and supplement the initial and any subsequent notifications to the commissioner regarding material changes to previously provided information relating to the cybersecurity event. The licensee's notice required under this section must include:

  • The date of the cybersecurity event;
  • Description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any;
  • How the cybersecurity event was discovered;
  • Whether any lost, stolen, or breached information has been recovered and if so, how;
  • The identity of the source of the cybersecurity event.
  • Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when the notification was provided;
  • Description of the specific types of information acquired without authorization. Specific types of information means particular data elements, including medical information, financial information, or any other information allowing identification of the consumer;
  • The period during which the information system was compromised by the cybersecurity event;
  • The total number of consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update the estimate with a subsequent report to the commissioner pursuant to this section;
  • The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed;
  • Description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur;
  • A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and
  • Name of a contact person that is both familiar with the cybersecurity event and authorized to act for the licensee.

Third-Party Notice Requirements:

In the case of a cybersecurity event in a system maintained by a third-party service provider, of which the licensee has become aware, the licensee shall still notify individuals and the insurance commissioner as if the cybersecurity event were their own, however the third party service provider may notify the insurance commissioner.

Penalties:

The commissioner may examine and investigate the affairs of any licensee to determine whether the licensee has been or is engaged in any conduct in violation of this chapter. This power is in addition to the powers the commissioner has under chapter 26.1-03. Any investigation or examination must be conducted pursuant to chapter 26.1-03. If the commissioner has reason to believe a licensee has been or is engaged in conduct in this state which violates this chapter, the commissioner may take action that is necessary or appropriate to enforce the provisions of this chapter.

Associated Regulations:

N/A

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek