Breach Based on Harm Threshold: No
Deadline for Consumer Notice: Most expedient time possible and without unreasonable delay
Government Notification Required: Yes, if > 250 individuals affected
Scope of this Summary:
Notification requirements applicable to persons who own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
The notification obligation is not subject to a risk assessment.
Unauthorized acquisition of computerized data when access to personal information has not been secured by encryption or by any other method or technology, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is secured by encryption or any other method or technology that renders the covered info unreadable or unusable.
Form of Covered Info
An individual's first name or first initial and last name in combination with any of the following data elements:
- The individual's Social Security number.
- The operator's license number assigned to an individual by the department of transportation under section 39-06-14.
- A non-driver color photo identification card number assigned to the individual by the department of transportation under section 39-06-03.1.
- The individual's financial institution account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial accounts.
- The individual's date of birth.
- The maiden name of the individual's mother.
- Medical information, meaning any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional.
- Health insurance information, meaning an individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
- An identification number assigned to the individual by the individual's employer in combination with any required security code, access code, or password.
- The individual's digitized or other electronic signature.
Consumer Notice Timing
Must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the integrity of the system.
Consumer Notice Method
By written notice or electronic notice if consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
The North Dakota general breach notification and insurance data security statutes do not set out specific content requirements for the notice to affected persons and consumers.
Notification may be delayed if law enforcement determines notice will impede a criminal investigation.
Must notify without unreasonable delay the Attorney General via mail or email of any breach that affects more than 250 individuals.
Consumer Reporting Agency Notice
The North Dakota general breach notification and insurance data security statutes do not require notice to credit reporting agencies.
Exceptions for Other Laws
The statute includes certain exceptions for entities that are subject to the breach notification requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
If you maintain covered info on behalf of another entity, you must notify it immediately following discovery of a breach.
Private Right of Action
The North Dakota general breach notification does not provide for a private right of action.
Violations may result in civil penalties.