The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
State Data Breach Notification Statue
Covered Entities: Individuals or entities that own or license computerized data that includes personal information.
Consumer Notification: Notification must be provided to any Oklahoma resident whose “unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person,” when the unauthorized access and acquisition causes or is reasonably believed has caused or will cause identity theft or other fraud to an Oklahoma resident.
Regulatory Notification: N/A
Notification Timeline: Notification must be provided “without unreasonable delay …”
Data Format: Electronic.
Citations: 24 Okla. Stat. §§ 161–166
- Breach: Unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of PI, and that causes or is reasonably believed has caused or will cause, identity theft or other fraud to an Oklahoma resident.
- Personal information (PI): An individual’s first name / first initial and last name in combination with one or more of the following data elements:
- Social Security number;
- Driver’s license or state identification card number; or
- Financial account or payment card number plus a security code, access code, or password that would permit access to a financial account.
- Medical Information: N/A
- Health Insurance Information: N/A
- Encryption: Notification is not required where the potentially impacted PI was encrypted, so long as the encryption key is not also available thereby rendering the PI readable / usable.
- Good Faith: Notification is not required where the potentially impacted PI was acquired in good faith by an employee or agent, provided that the PI is not used for a purpose other than the lawful purpose of the individual or entity or subject to further unauthorized disclosure.
- Risk of Harm: Notification is not required unless the breach causes or is reasonably believed has caused or will cause identity theft or other fraud to an Oklahoma resident.
- Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification “will impede a criminal or civil investigation or homeland or national security.”
- Timing: Notice must be provided without unreasonable delay unless requested by law enforcement, or consistent with measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system.
- Format: N/A
- Content: N/A
- Method: “Notice” means (1) written notice to the postal address in the records of the individual or entity; (2) telephone notice; (3) electronic notice; or (4) substitute notice.
An individual or entity may provide substitute notice if (1) the cost of providing notice would exceed $50,000, (2) the notification population exceeds 100,000, or (3) the individual or entity does not have sufficient contact information or consent to provide direct notice. It must consist of any two of the following: (1) e-mail notice, if an e-mail address is available; (2) conspicuous posting on the individual or entity’s public web site, or (3) notice to statewide media.
Credit Reporting Agencies Notice:
An individual or entity that maintains computerized data that includes PI that the individual or entity does not own or license must notify the owner or licensee of the information of a “breach” as soon as practicable following discovery.
An entity that complies with the notification requirements or procedures pursuant to the rules, regulation, procedures, or guidelines established by the primary or functional federal regulator of the entity shall be deemed to be in compliance with the provisions of this act.