Come August 1, North Dakota’s Attorney General will expect to hear from you if your company suffers a breach of computerized data affecting more than 250 persons.
On April 13 North Dakota Governor Jack Dalrymple signed S. 2214 into law, which amended the state’s data breach statute in an attempt to expand the reach of the state’s notification requirements and the range of businesses subject to them. As the law is currently written, North Dakota’s data breach statute only applies to persons who conduct business in state. The amendment strikes this limiting language, attempting to make all persons – and all companies – who own or license computerized data containing “personal information” subject to the state’s breach notification requirements once S. 2214 goes into effect on August 1.
S. 2214 will also require businesses that suffer a breach affecting more than 250 people to notify the state’s Attorney General by mail or email. Under a strict reading of the amended statute, companies that do not even do business in the Roughrider State may need to inform North Dakota’s Attorney General if they suffer a breach of any consumer’s personal information. Jurisdictional limitations may narrow that reading however, limiting notice to the AG only if residents of North Dakota are affected and only if the company meets the minimum contacts threshold.
Additionally, after expanding the definition of “personal information” in 2013 to include medical information and health insurance information, the 2015 amendment narrows the notification requirement for breaches of employer identification numbers by qualifying that notification is only required when there is a breach of such numbers in combination with any required security code, access code or password.
By enacting S. 2214, North Dakota joins Montana, Washington State, and Wyoming in passing substantive amendments to their respective data breach laws this year. Given the subtle-but-important changes North Dakota has made to its statute, businesses in all corners of the country will have to assess their compliance obligations with the revised law on August 1.
Governor Dalrymple also signed into law S.B. 2326, which requires the board of each school district to adopt a policy regarding the protection of student data and limits how that data can be shared, the consents required for sharing with non-school district employees, and the notifications required when student data is breached. And while S.C.R. 4012 did not require the governor’s signature, this concurrent resolution adopted by the Assembly at the end of March directs the Legislative Management to “study the privacy, security, and data sharing laws in North Dakota, the effectiveness of federal privacy, security, and data sharing laws and the laws of other states, the interaction of federal and state laws, and whether current privacy, security, and data sharing protections meet the reasonable expectations of the citizens of North Dakota.” Consistent with national trends, privacy and information security is top of mind with regulators and legislators in North Dakota, and should be for businesses, as well.