North Dakota
|
Click here to review text of state statute |
Information Covered / Important Definitions
Information covered:
Personal information of North Dakota residents.
Definition also includes (i) date of birth, (ii) mother’s maiden name, (iii) employee identification number in combination with any required access code or password, (iv) electronic or digitized signature, (v) health insurance information, and (vi) medical information.
Important definitions:
“Security Breach” means unauthorized acquisition of computerized data when access to personal information has not been secured by encryption or by any other method or technology that renders the electronic files, media, or databases unreadable or unusable.
“Health Insurance Information” means an individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
“Medical Information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person that owns or licenses computerized data that includes personal information.
Third party recipients:
Any person that maintains or possesses records or data containing personal information that the person does not own or license must notify the owner or licensee of the information of any security breach immediately following discovery of the breach.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay, unless a law enforcement agency determines that notice will impede an investigation (in which case notification is delayed until authorized by law enforcement).
- Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity has insufficient contact information.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted. Both the name information and associated data elements must be encrypted.
Other exemptions:
Exemption for good faith acquisition of personal information by an employee or agent of the covered entity so long as personal information is not used or subject to further unauthorized disclosure.
A covered entity is deemed in compliance with the North Dakota statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the North Dakota statute.
A financial institution, trust company or credit union subject to and in compliance with interagency guidance for unauthorized access to customer information and customer notice is deemed in compliance with North Dakota statute.
A covered entity subject to HIPAA is deemed in compliance with North Dakota statute.
Notification to Regulator / Waiver
Attorney general must be notified by mail or email if a single breach results in notice to more than 250 individuals.
Penalties
Remedies for violations are set forth in N.D. Cent. Code 51-15.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
|
Click here to review text of state statute |