Security Breach Notice Law in the State of North Dakota
N.D. Cent. Code § 51-30-01 is a security breach notification law that was passed in the U.S. state of North Dakota in 2005 that has been amended several times, most recently in 2015. N.D. Cent. Code § 51-30-01 was amended in 2015 for the purpose of providing residents of the state of North Dakota with an enhanced level of protection as it concerns the adverse consequences of a security breach. With this being said, the law sets forth the responsibilities that businesses entities have regarding said residents in instances where a security breach occurs. Furthermore, the law also sets forth the punishments that businesses within the state of North Dakota stand to face should they fail to comply with the provisions established in the law.
How is a security breach defined?
Under N.D. Cent. Code § 51-30-01, a security breach is defined as the “unauthorized acquisition of computerized data when access to PI has not been secured by encryption or by any other method or technology that renders the electronic files, media, or databases unreadable or unusable.” Alternatively, the “good-faith acquisition of PI by an employee or agent of the Entity is not a breach of the security of the system if the PI is not used or subject to further unauthorized disclosure.” Moreover, as it concerns the scope and applicability of the law, the provisions of the law apply to “any entity that conducts business in ND and that owns or licenses computerized data that includes PI.”
What are the security breach notification requirements?
N.D. Cent. Code § 51-30-01 mandates that business entities provide notification to North Dakota residents with notification in the event that a security breach takes place. These notifications must be provided to North Dakota residents in the most expedient manner possible, and provide said residents with details including the scope and severity of the breach, as well as the types of personal information that were disclosed during the breach, among other pertinent information. Additionally, business entities that experience a data breach are also required to provide notification to the North Dakota attorney general in instances where a security breach affects more than 250 residents within the state.
What types of personal information are legally protected?
Under N.D. Cent. Code § 51-30-01, the following types of personal information are legally protected should a security breach occur, in connection with a North Dakota resident’s first name or first initial and last name, in instances where these data elements have not been redacted, encrypted, or otherwise rendered inaccessible through another form of technology:
- Social security numbers.
- “The operator’s license number assigned to an individual by the department of transportation.”
- “A non-driver color photo identification card number assigned to the individual by the department of transportation.”
- Financial account numbers, credit, and debit card numbers, as well as any required access codes, security codes, or passwords that could be used to gain access to a North Dakota resident’s financial account.
- An individual’s date of birth.
- The maiden name of an individual’s mother.
- Health insurance information.
- Identification numbers issued to North Dakota residents on behalf of their employers, as well as any required passwords, access codes, or security codes.
- Digitized and electronic signatures.
What are the penalties for violating N.D. Cent. Code § 51-30-01?
In terms of the enforcement of N.D. Cent. Code § 51-30-01, the provisions established in the law are enforceable by the North Dakota attorney general. To this point, the North Dakota attorney general has the authority to impose a multitude of penalties and sanctions against businesses within the state that are found to be in violation of the law. Such punishments include civil damages of up to $5,000 for each offense, and temporary or permanent injunction, as well as reasonable attorney fees, expenses, and costs that may be incurred during the course of a legal investigation. The North Dakota attorney general may also impose further punishments at their own discretion.
Through the enactment of N.D. Cent. Code § 51-30-01, residents of the state of North Dakota were provided with the legal means to mitigate the adverse effects that can result from being involved in a security breach. As the law protects a wide range of personal information, including common forms of information such as financial account numbers to less common forms of information such as an employee identification number, residents of the state can also ensure that their personal information is being safeguarded at every level of society. To this end, N.D. Cent. Code § 51-30-01 ensures that personal information concerning North Dakota residents cannot be disclosed improperly without legal repercussions.