Security Breach Legislation in the State of Oklahoma

Ok. Stat., Tit. 24, §§ 161–166, also known as the Security Breach Notification Act, is a data breach notification law that was passed in the U.S. state of Oklahoma in 2008. Oklahoma’s Security Breach Notification Act establishes the protocol that agencies, businesses, and companies within the state are required to follow when a data breach occurs. Moreover, the law also gives the Oklahoma attorney general the authority to levy penalties against entities within the state that are found to be in violation of the law. With this being said, Oklahoma’s Security Breach Notification Act represents the primary piece of legislation that protects the personal information of citizens of the state in terms of security breaches.

What is the scope and applicability of Oklahoma’s Security Breach Notification Act?

In terms of the scope and application of Oklahoma’s Security Breach Notification Act, the provisions of the law apply to all “corporations, business trusts, estates, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental subdivisions, agencies, or instrumentalities, or any other legal entity, whether for profit or not-for-profit (collectively, Entity) that owns or licenses computerized data that includes PI of OK residents.” Furthermore, third parties that collect or process personal information on behalf of entities within Oklahoma are also subject to the provisions of Oklahoma’s Security Breach Notification Act.

What are the data breach notification requirements under Oklahoma’s Security Breach Notification Act?

Under the provisions of Oklahoma’s Security Breach Notification Act, agencies, companies, and businesses that operate within the state are required to provide notice to all affected individuals and parties in the event that a security breach occurs. The notifications must be provided to affected individuals without unreasonable delay, and must convey the scope and severity of the breach, as well as any steps that were taken to restore the integrity of the data system in which the breach occurred. Alternatively, the law also states that affected entities may provide substitute notification under certain circumstances, such as when the cost of providing standard data breach notification would cost more than ,000, or in instances where the affected class of residents is more than 100,000.

What categories of personal information are protected under Oklahoma’s Security Breach Notification Act?

Under Oklahoma’s Security Breach Notification Act, the following categories of personal information are legally protected in the event of a security breach, in combination with an Oklahoma resident’s first name or first initial and last name, in instances where the data elements in question have not been redacted or encrypted:

• Social security numbers.
• Drivers license card numbers and state identification card numbers.
• Account numbers, credit, and debit card numbers, as well as any required security codes, access codes, or passwords that could be used to grant access to an individual’s financial account.

What are the penalties for violating Oklahoma’s Security Breach Notification Act?

In terms of the enforcement of Oklahoma’s Security Breach Notification Act, the provisions of the law are enforced by the Oklahoma attorney general. Subsequently, the Oklahoma attorney general has the authority to impose monetary penalties against businesses, companies, and agencies within the state that fail to comply with the law. More specifically, “the state AG or a district attorney shall have exclusive authority to bring an action and may obtain either actual damages for a violation of the statute or a civil penalty not to exceed $150,000 per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation.”

As security breaches have become an everyday reality for internet users around the world, legislation such as Oklahoma’s Security Breach Notification is more relevant than ever before. Through the provisions of the law, residents of the state have the legal means they need to avoid the adverse consequences of having one’s personal information compromised as a result of a security breach. While legislation such Oklahoma’s Security Breach Notification does provide a certain level of protection, comprehensive data protection legislation such as the EU’s General Data Protection Regulation or GDPR takes these protections a step further, and American legislators will have to consider such legislation when looking to improve the level of privacy protections that citizens of the country are afforded when using the internet.