The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.  

The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice. 

Back To Map
Rapid Response Hotline 877.382.2724

North Dakota

Data Breach Notification Statue

Highlights

Covered Entities: Individuals, businesses, and other entities that own, license, or maintain personal information.

Consumer Notification: Notification must be provided to any North Dakota resident “if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”

Regulatory Notification: Notification must be provided to the North Dakota Attorney General where more than 250 North Dakota residents are required to be notified of a breach.

Notification Timeline: Notification must be provided in the most expedient time possible and without unreasonable delay.

Data Format: Electronic.

Citations: N.D. Cent. Code §§ 51-30-01 et seq.

More Details

Definitions:

  • Breach: Unauthorized acquisition of computerized data when access to personal information has not been secured by encryption or by any other method or technology that renders the electronic files, media, or databases unreadable or unusable.
  • Personal information (PI):
    • An individual’s first name / first initial and last name in combination with one or more of the following data elements:
      • Social security number;
      • The operator’s license number assigned to an individual by the department of transportation;
      • A non-driver color photo identification card number assigned to the individual by the department of transportation;
      • Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial accounts;
      • The individual’s date of birth;
      • The maiden name of the individual’s mother;
      • Medical information;
      • Health insurance information;
      • An identification number assigned to the individual by the individual’s employer in combination with any required security code, access code, or password; or
      • The individual’s digitized or other electronic signature.
    • PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
  • Medical Information: “Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.”
  • Health Insurance Information: “An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.”

Safe Harbors:

  • Encryption: Notification is not required where the potentially impacted PI was encrypted.
  • Good Faith: Notification is not required where the potentially impacted PI was acquired in good faith by an employee or agent, for the purposes of the relevant person, business, or agency.
  • Risk of Harm: N/A
  • Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.

Direct Notice:

  • Timing: Notification must be provided in the most expedient time possible and without unreasonable delay, consistent with measures necessary to determine the scope of the breach and restore the integrity of the system.
  • Format: N/A
  • Content: N/A
  • Method: Written or electronic.

Substitute Notice:

An entity may provide substitute notice if (1) the cost of providing notice would exceed $250,000, (2) the notification population exceeds 500,000, or (3) the entity does not have sufficient contact information. Substitute notice must include: (1) email notice, where an email address is available; (2) conspicuous posting on the entity’s webpage, if one is maintained; and (3) notice to statewide media.

Remediation Services:

N/A

Regulatory Notice:

Notification must be provided to the North Dakota Attorney General where more than 250 North Dakota residents are required to be notified of a breach. The notice to the Attorney General must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and to restore the integrity of the data system.

Credit Reporting Agencies Notice:

N/A

Third-Party Notice:

Any person that maintains computerized data that includes PI that the person does not own shall notify the owner or licensee of the information of the breach of the security of the data immediately following the discovery, if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.

HIPAA:

N/A

Private Action:

N/A

Associated Regulations:

  • Insurance Data Security (N.D. Cent. Code §§ 26.1-02.2-01 to 26.1-02.2-11)

Insurance Data Security Statute

Highlights

Covered Entities (Licensee): Any entity licensed, authorized to operate, registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state.

Security Standard: Commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including the licensee's use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control, each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system.

Consumer Notification: Notification must be provided to any North Dakota resident “if the personal information, was or is reasonably believed to have been, acquired by an unauthorized person.”

Regulatory Notification: A licensee shall notify the commissioner as promptly as possible, but no later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the criteria referenced below have been met.

Notification Timeline: Notification to the commissioner must be made as promptly as possible, but no later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred. Notification must be made in the most expedient time possible and without unreasonable delay.

Citations: N.D.C.C. §§ 26.1-02.2-01 to 26.1-02.2-11

More Details

Definitions:

  • Consumer: An individual, including an applicant, policyholder, insured, beneficiary, claimant, and certificate holder, who is a resident of this state and whose nonpublic information is in a licensee's possession, custody, or control.
  • Cybersecurity Event: An event resulting in unauthorized access to, disruption, or misuse of, an information system or nonpublic information stored on the information system.
  • Nonpublic Information: Electronic information that is not publicly available information and is:
    • Any information concerning a consumer which can be used to identify the consumer because of name, number, personal mark, or other identifier in combination with any one or more of the following data elements:
      • Social Security number;
      • Driver’s license number or nondriver identification card number;
      • Financial account number or credit or debit card number;
      • Any security code, access code, or password that would permit access to a consumer's financial account; or
      • Biometric records.
    • Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer which can be used to identify a particular consumer and relates to:
      • The past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer's family;
      • The provision of health care to any consumer; or
      • Payment for the provision of health care to any consumer.

Regulatory Notice:

A licensee shall notify the commissioner as promptly as possible, but no later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the following criteria has been met:

  • North Dakota is the licensee's state of domicile, in the case of an insurer, or this state is the licensee's home state, in the case of a producer as defined in chapter 26.1-26, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing in this state or reasonable likelihood of materially harming any material part of the normal operations of the licensee; or
  • The licensee reasonably believes the nonpublic information involved is of 250 or more consumers residing in this state and is:
    • A cybersecurity event impacting the licensee for which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body pursuant to any state or federal law; or
    • A cybersecurity event that has a reasonable likelihood of materially harming any consumer residing in this state or materially harming any part of the normal operations of the licensee.

Content Requirements:

The licensee shall provide the notice required under this section in electronic form as directed by the commissioner. The licensee shall update and supplement the initial and any subsequent notifications to the commissioner regarding material changes to previously provided information relating to the cybersecurity event. The licensee's notice required under this section must include:

  • The date of the cybersecurity event;
  • Description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any;
  • How the cybersecurity event was discovered;
  • Whether any lost, stolen, or breached information has been recovered and if so, how;
  • The identity of the source of the cybersecurity event.
  • Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when the notification was provided;
  • Description of the specific types of information acquired without authorization. Specific types of information means particular data elements, including medical information, financial information, or any other information allowing identification of the consumer;
  • The period during which the information system was compromised by the cybersecurity event;
  • The total number of consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update the estimate with a subsequent report to the commissioner pursuant to this section;
  • The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed;
  • Description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur;
  • A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and
  • Name of a contact person that is both familiar with the cybersecurity event and authorized to act for the licensee.

Third-Party Notice Requirements:

In the case of a cybersecurity event in a system maintained by a third-party service provider, of which the licensee has become aware, the licensee shall still notify individuals and the insurance commissioner as if the cybersecurity event were their own, however the third party service provider may notify the insurance commissioner.

Penalties:

The commissioner may examine and investigate the affairs of any licensee to determine whether the licensee has been or is engaged in any conduct in violation of this chapter. This power is in addition to the powers the commissioner has under chapter 26.1-03. Any investigation or examination must be conducted pursuant to chapter 26.1-03. If the commissioner has reason to believe a licensee has been or is engaged in conduct in this state which violates this chapter, the commissioner may take action that is necessary or appropriate to enforce the provisions of this chapter.

Associated Regulations:

N/A

Back to Page