North Dakota Enacts Financial Data Security and Data Breach Notification Requirements

pOn April 11 2025 the North Dakota governor signed HB 1127 the Act which establishes new data security measures and breach notification obligations for financial corporations Covered entities include those that are regulated by the North Dakota Department of Financial Institutions and exclude financial institutions such as banks and credit unionsppKey requirements which mirror requirements under the federal GrammLeachBliley Act Safeguards Rule include the followingppThe Act also imposes new requirements regarding security incidents ie notification events A notification event means the acquisition of unencrypted customer information without the authorization of the individual to which the information pertains Financial corporations must notify the Department of Financial Institutions as soon as possible and no later than 45 days after discovering a notification event that involves the information of at least 500 consumers Notably the Act specifies that a notification event must be treated as discovered on the first day when the event is known to the financial corporation A financial corporation is deemed to have knowledge of a notification event if the event is known to any employee officer or other agent of the financial corporation other than the person committing the breach The Act will take effect on August 1 2025p