Oklahoma

State Data Breach Notification Statue

Highlights

Covered Entities: Individuals or entities that own or license computerized data that includes personal information.

Consumer Notification: Notification must be provided to any Oklahoma resident whose “unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person,” when the unauthorized access and acquisition causes or is reasonably believed has caused or will cause identity theft or other fraud to an Oklahoma resident.

Regulatory Notification: N/A

Notification Timeline: Notification must be provided “without unreasonable delay …”

Data Format: Electronic.

Citations: 24 Okla. Stat. §§ 161–166

More Details

Definitions:

  • Breach: Unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of PI, and that causes or is reasonably believed has caused or will cause, identity theft or other fraud to an Oklahoma resident.
  • Personal information (PI):
    • An individual’s first name / first initial and last name in combination with one or more of the following data elements:
      • Social Security number;
      • Driver’s license or state identification card number; or
      • Financial account or payment card number plus a security code, access code, or password that would permit access to a financial account.
  • Medical Information: N/A
  • Health Insurance Information: N/A

Safe Harbors:

  • Encryption: Notification is not required where the potentially impacted PI was encrypted, so long as the encryption key is not also available thereby rendering the PI readable / usable.
  • Good Faith: Notification is not required where the potentially impacted PI was acquired in good faith by an employee or agent, provided that the PI is not used for a purpose other than the lawful purpose of the individual or entity or subject to further unauthorized disclosure.
  • Risk of Harm: Notification is not required unless the breach causes or is reasonably believed has caused or will cause identity theft or other fraud to an Oklahoma resident.
  • Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification “will impede a criminal or civil investigation or homeland or national security.”

Direct Notice:

  • Timing: Notice must be provided without unreasonable delay unless requested by law enforcement, or consistent with measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system.
  • Format: N/A
  • Content: N/A
  • Method: “Notice” means (1) written notice to the postal address in the records of the individual or entity; (2) telephone notice; (3) electronic notice; or (4) substitute notice.

Substitute Notice:

An individual or entity may provide substitute notice if (1) the cost of providing notice would exceed $50,000, (2) the notification population exceeds 100,000, or (3) the individual or entity does not have sufficient contact information or consent to provide direct notice. It must consist of any two of the following: (1) e-mail notice, if an e-mail address is available; (2) conspicuous posting on the individual or entity’s public web site, or (3) notice to statewide media.

Remediation Services:

N/A

Regulatory Notice:

N/A

Credit Reporting Agencies Notice:

N/A

Third-Party Notice:

An individual or entity that maintains computerized data that includes PI that the individual or entity does not own or license must notify the owner or licensee of the information of a “breach” as soon as practicable following discovery.

HIPAA:

An entity that complies with the notification requirements or procedures pursuant to the rules, regulation, procedures, or guidelines established by the primary or functional federal regulator of the entity shall be deemed to be in compliance with the provisions of this act.

Private Action:

N/A

Associated Regulations:

N/A

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek