CHAPTER 51-30NOTICE OF SECURITY BREACH FOR PERSONAL INFORMATION51-30-01. Definitions. In this chapter, unless the context or subject matter otherwiserequires:1."Breach of the security system" means unauthorized acquisition of computerized<br>data when access to personal information has not been secured by encryption or by<br>any other method or technology that renders the electronic files, media, or data<br>bases unreadable or unusable. Good-faith acquisition of personal information by an<br>employee or agent of the person is not a breach of the security of the system, if the<br>personal information is not used or subject to further unauthorized disclosure.2.a."Personal information" means an individual's first name or first initial and last<br>name in combination with any of the following data elements, when the name<br>and the data elements are not encrypted:(1)The individual's social security number;(2)The operator's license number assigned to an individual by the<br>department of transportation under section 39-06-14;(3)A nondriver color photo identification card number assigned to the<br>individual by the department of transportation under section 39-06-03.1;(4)The individual's financial institution account number, credit card number,<br>or debit card number in combination with any required security code,<br>access code, or password that would permit access to an individual's<br>financial accounts;(5)The individual's date of birth;(6)The maiden name of the individual's mother;(7)An identification number assigned to the individual by the individual's<br>employer; or(8)The individual's digitized or other electronic signature.b."Personal information" does not include publicly available information that is<br>lawfully made available to the general public from federal, state, or local<br>government records.51-30-02. Notice to consumers. Any person that conducts business in this state, andthat owns or licenses computerized data that includes personal information, shall disclose any<br>breach of the security of the system following discovery or notification of the breach in the<br>security of the data to any resident of the state whose unencrypted personal information was, or<br>is reasonably believed to have been, acquired by an unauthorized person. The disclosure must<br>be made in the most expedient time possible and without unreasonable delay, consistent with the<br>legitimate needs of law enforcement, as provided in section 51-30-04, or any measures<br>necessary to determine the scope of the breach and to restore the integrity of the data system.51-30-03. Notice to owner or licensee of personal information. Any person thatmaintains computerized data that includes personal information that the person does not own<br>shall notify the owner or licensee of the information of the breach of the security of the data<br>immediately following the discovery, if the personal information was, or is reasonably believed to<br>have been, acquired by an unauthorized person.Page No. 151-30-04. Delayed notice. The notification required by this chapter may be delayed if alaw enforcement agency determines that the notification will impede a criminal investigation. The<br>notification required by this chapter must be made after the law enforcement agency determines<br>that the notification will not compromise the investigation.51-30-05. Method of notice. Notice under this chapter may be provided by one of thefollowing methods:1.Written notice;2.Electronic notice, if the notice provided is consistent with the provisions regarding<br>electronic records and signatures set forth in section 7001 of title 15 of the United<br>States Code; or3.Substitute notice, if the person demonstrates that the cost of providing notice would<br>exceed two hundred fifty thousand dollars, or that the affected class of subject<br>persons to be notified exceeds five hundred thousand, or the person does not have<br>sufficient contact information. Substitute notice consists of the following:a.E-mail notice when the person has an e-mail address for the subject persons;b.Conspicuous posting of the notice on the person's web site page, if the person<br>maintains one; andc.Notification to major statewide media.51-30-06.Alternate compliance.Notwithstanding section 51-30-05, a person thatmaintains its own notification procedures as part of an information security policy for the<br>treatment of personal information and is otherwise consistent with the timing requirements of this<br>chapter is deemed to be in compliance with the notification requirements of this chapter if the<br>person notifies subject individuals in accordance with its policies in the event of a breach of<br>security of the system. A financial institution, trust company, or credit union that is subject to,<br>examined for, and in compliance with the federal interagency guidance on response programs for<br>unauthorized access to customer information and customer notice is deemed to be in<br>compliance with this chapter.51-30-07. Enforcement - Powers - Remedies - Penalties. The attorney general mayenforce this chapter. The attorney general, in enforcing this chapter, has all the powers provided<br>in chapter 51-15 and may seek all the remedies in chapter 51-15. A violation of this chapter is<br>deemed a violation of chapter 51-15. The remedies, duties, prohibitions, and penalties of this<br>chapter are not exclusive and are in addition to all other causes of action, remedies, and<br>penalties under chapter 51-15, or otherwise provided by law.Page No. 2Document Outlinechapter 51-30 notice of security breach for personal information
CHAPTER 51-30NOTICE OF SECURITY BREACH FOR PERSONAL INFORMATION51-30-01. Definitions. In this chapter, unless the context or subject matter otherwiserequires:1."Breach of the security system" means unauthorized acquisition of computerized<br>data when access to personal information has not been secured by encryption or by<br>any other method or technology that renders the electronic files, media, or data<br>bases unreadable or unusable. Good-faith acquisition of personal information by an<br>employee or agent of the person is not a breach of the security of the system, if the<br>personal information is not used or subject to further unauthorized disclosure.2.a."Personal information" means an individual's first name or first initial and last<br>name in combination with any of the following data elements, when the name<br>and the data elements are not encrypted:(1)The individual's social security number;(2)The operator's license number assigned to an individual by the<br>department of transportation under section 39-06-14;(3)A nondriver color photo identification card number assigned to the<br>individual by the department of transportation under section 39-06-03.1;(4)The individual's financial institution account number, credit card number,<br>or debit card number in combination with any required security code,<br>access code, or password that would permit access to an individual's<br>financial accounts;(5)The individual's date of birth;(6)The maiden name of the individual's mother;(7)An identification number assigned to the individual by the individual's<br>employer; or(8)The individual's digitized or other electronic signature.b."Personal information" does not include publicly available information that is<br>lawfully made available to the general public from federal, state, or local<br>government records.51-30-02. Notice to consumers. Any person that conducts business in this state, andthat owns or licenses computerized data that includes personal information, shall disclose any<br>breach of the security of the system following discovery or notification of the breach in the<br>security of the data to any resident of the state whose unencrypted personal information was, or<br>is reasonably believed to have been, acquired by an unauthorized person. The disclosure must<br>be made in the most expedient time possible and without unreasonable delay, consistent with the<br>legitimate needs of law enforcement, as provided in section 51-30-04, or any measures<br>necessary to determine the scope of the breach and to restore the integrity of the data system.51-30-03. Notice to owner or licensee of personal information. Any person thatmaintains computerized data that includes personal information that the person does not own<br>shall notify the owner or licensee of the information of the breach of the security of the data<br>immediately following the discovery, if the personal information was, or is reasonably believed to<br>have been, acquired by an unauthorized person.Page No. 151-30-04. Delayed notice. The notification required by this chapter may be delayed if alaw enforcement agency determines that the notification will impede a criminal investigation. The<br>notification required by this chapter must be made after the law enforcement agency determines<br>that the notification will not compromise the investigation.51-30-05. Method of notice. Notice under this chapter may be provided by one of thefollowing methods:1.Written notice;2.Electronic notice, if the notice provided is consistent with the provisions regarding<br>electronic records and signatures set forth in section 7001 of title 15 of the United<br>States Code; or3.Substitute notice, if the person demonstrates that the cost of providing notice would<br>exceed two hundred fifty thousand dollars, or that the affected class of subject<br>persons to be notified exceeds five hundred thousand, or the person does not have<br>sufficient contact information. Substitute notice consists of the following:a.E-mail notice when the person has an e-mail address for the subject persons;b.Conspicuous posting of the notice on the person's web site page, if the person<br>maintains one; andc.Notification to major statewide media.51-30-06.Alternate compliance.Notwithstanding section 51-30-05, a person thatmaintains its own notification procedures as part of an information security policy for the<br>treatment of personal information and is otherwise consistent with the timing requirements of this<br>chapter is deemed to be in compliance with the notification requirements of this chapter if the<br>person notifies subject individuals in accordance with its policies in the event of a breach of<br>security of the system. A financial institution, trust company, or credit union that is subject to,<br>examined for, and in compliance with the federal interagency guidance on response programs for<br>unauthorized access to customer information and customer notice is deemed to be in<br>compliance with this chapter.51-30-07. Enforcement - Powers - Remedies - Penalties. The attorney general mayenforce this chapter. The attorney general, in enforcing this chapter, has all the powers provided<br>in chapter 51-15 and may seek all the remedies in chapter 51-15. A violation of this chapter is<br>deemed a violation of chapter 51-15. The remedies, duties, prohibitions, and penalties of this<br>chapter are not exclusive and are in addition to all other causes of action, remedies, and<br>penalties under chapter 51-15, or otherwise provided by law.Page No. 2Document Outlinechapter 51-30 notice of security breach for personal information
CHAPTER 51-30NOTICE OF SECURITY BREACH FOR PERSONAL INFORMATION51-30-01. Definitions. In this chapter, unless the context or subject matter otherwiserequires:1."Breach of the security system" means unauthorized acquisition of computerized<br>data when access to personal information has not been secured by encryption or by<br>any other method or technology that renders the electronic files, media, or data<br>bases unreadable or unusable. Good-faith acquisition of personal information by an<br>employee or agent of the person is not a breach of the security of the system, if the<br>personal information is not used or subject to further unauthorized disclosure.2.a."Personal information" means an individual's first name or first initial and last<br>name in combination with any of the following data elements, when the name<br>and the data elements are not encrypted:(1)The individual's social security number;(2)The operator's license number assigned to an individual by the<br>department of transportation under section 39-06-14;(3)A nondriver color photo identification card number assigned to the<br>individual by the department of transportation under section 39-06-03.1;(4)The individual's financial institution account number, credit card number,<br>or debit card number in combination with any required security code,<br>access code, or password that would permit access to an individual's<br>financial accounts;(5)The individual's date of birth;(6)The maiden name of the individual's mother;(7)An identification number assigned to the individual by the individual's<br>employer; or(8)The individual's digitized or other electronic signature.b."Personal information" does not include publicly available information that is<br>lawfully made available to the general public from federal, state, or local<br>government records.51-30-02. Notice to consumers. Any person that conducts business in this state, andthat owns or licenses computerized data that includes personal information, shall disclose any<br>breach of the security of the system following discovery or notification of the breach in the<br>security of the data to any resident of the state whose unencrypted personal information was, or<br>is reasonably believed to have been, acquired by an unauthorized person. The disclosure must<br>be made in the most expedient time possible and without unreasonable delay, consistent with the<br>legitimate needs of law enforcement, as provided in section 51-30-04, or any measures<br>necessary to determine the scope of the breach and to restore the integrity of the data system.51-30-03. Notice to owner or licensee of personal information. Any person thatmaintains computerized data that includes personal information that the person does not own<br>shall notify the owner or licensee of the information of the breach of the security of the data<br>immediately following the discovery, if the personal information was, or is reasonably believed to<br>have been, acquired by an unauthorized person.Page No. 151-30-04. Delayed notice. The notification required by this chapter may be delayed if alaw enforcement agency determines that the notification will impede a criminal investigation. The<br>notification required by this chapter must be made after the law enforcement agency determines<br>that the notification will not compromise the investigation.51-30-05. Method of notice. Notice under this chapter may be provided by one of thefollowing methods:1.Written notice;2.Electronic notice, if the notice provided is consistent with the provisions regarding<br>electronic records and signatures set forth in section 7001 of title 15 of the United<br>States Code; or3.Substitute notice, if the person demonstrates that the cost of providing notice would<br>exceed two hundred fifty thousand dollars, or that the affected class of subject<br>persons to be notified exceeds five hundred thousand, or the person does not have<br>sufficient contact information. Substitute notice consists of the following:a.E-mail notice when the person has an e-mail address for the subject persons;b.Conspicuous posting of the notice on the person's web site page, if the person<br>maintains one; andc.Notification to major statewide media.51-30-06.Alternate compliance.Notwithstanding section 51-30-05, a person thatmaintains its own notification procedures as part of an information security policy for the<br>treatment of personal information and is otherwise consistent with the timing requirements of this<br>chapter is deemed to be in compliance with the notification requirements of this chapter if the<br>person notifies subject individuals in accordance with its policies in the event of a breach of<br>security of the system. A financial institution, trust company, or credit union that is subject to,<br>examined for, and in compliance with the federal interagency guidance on response programs for<br>unauthorized access to customer information and customer notice is deemed to be in<br>compliance with this chapter.51-30-07. Enforcement - Powers - Remedies - Penalties. The attorney general mayenforce this chapter. The attorney general, in enforcing this chapter, has all the powers provided<br>in chapter 51-15 and may seek all the remedies in chapter 51-15. A violation of this chapter is<br>deemed a violation of chapter 51-15. The remedies, duties, prohibitions, and penalties of this<br>chapter are not exclusive and are in addition to all other causes of action, remedies, and<br>penalties under chapter 51-15, or otherwise provided by law.Page No. 2Document Outlinechapter 51-30 notice of security breach for personal information
