Oklahoma 2024 Regular Session

Oklahoma Senate Bill SB1337 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New		Differences
1	1
2	2
3		-	SENATE FLOOR VERSION - SB1337 SFLR Page 1
4		-	(Bold face denotes Comm ittee Amendments) 1
	3	+	Req. No. 3538 Page 1 1
5	4		2
6	5		3
7	6		4
8	7		5
9	8		6
10	9		7
11	10		8
12	11		9
13	12		10
14	13		11
15	14		12
16	15		13
17	16		14
18	17		15
19	18		16
20	19		17
21	20		18
22	21		19
23	22		20
24	23		21
25	24		22
26	25		23
27	26		24
28	27
29		-	SENATE FLOOR VERSION
30		-	February 20, 2024
	28	+	STATE OF OKLAHOMA
31	29
	30	+	2nd Session of the 59th Legislature (2024)
32	31
33	32		COMMITTEE SUBSTITUTE
34	33		FOR
35		-	SENATE BILL ~~NO.~~ 1337 By: Howard
	34	+	SENATE BILL 1337 By: Howard
36	35
37	36
38	37
39	38
	39	+
	40	+	COMMITTEE SUBSTITUTE
40	41
41	42		An Act relating to the Security Breach Notification
42	43		Act; amending 24 O.S. 2021, Sections 162, 163, 164,
43	44		165, and 166, which relate to definitions, duty to
44	45		disclose breach, notice , enforcement, and
45	46		application; modifying definitions; requiring notice
46	47		of security breach of certain information; re quiring
47	48		notice to Attorney General under certain
48	49		circumstances; specifying contents of required
49	50		notice; providing exemptions from certain notice
50	51		requirements; requiring c onfidentiality of certain
51	52		information submitted to Attorney General;
52	53		authorizing Attorney General to promulgate rules;
53	54		clarifying compliance with certa in notice
54	55		requirements; modifying authorized civil penalties
55	56		for certain violations; providing exemptions from
56	57		certain liability; limit ing liability for violations
57	58		under certain circumstances; modifying applicabil ity
58	59		of act; updating statutory language; updating
59	60		statutory references; and providing an effective
60	61		date.
61	62
62	63
63	64
64	65
65	66		BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
66	67		SECTION 1. AMENDATORY 24 O.S. 2021, Section 162, is
67	68		amended to read as follows:
68	69		Section 162. As used in the Security Breach Notification Act:
69		-	1. “Breach of the security of a system ” means the unauthorized
70		-	access and acquisition of unencrypted and unredacted computerized
71	70
72		-	SENATE FLOOR VERSION - SB1337 SFLR Page 2
73		-	(Bold face denotes Comm ittee Amendments) 1
	71	+	Req. No. 3538 Page 2 1
74	72		2
75	73		3
76	74		4
77	75		5
78	76		6
79	77		7
80	78		8
81	79		9
82	80		10
83	81		11
84	82		12
85	83		13
86	84		14
87	85		15
88	86		16
89	87		17
90	88		18
91	89		19
92	90		20
93	91		21
94	92		22
95	93		23
96	94		24
97	95
	96	+	1. “Breach of the security of a system ” means the unauthorized
	97	+	access and acquisition of unencrypted and unredacted computerized
98	98		data that compromises the security or confidentiality of personal
99	99		information maintained by an individual or enti ty as part of a
100	100		database of personal information regarding multiple individua ls and
101	101		that causes, or the individual or entity reasonably believes has
102	102		caused or will cause, identity theft or ot her fraud to any resident
103	103		of this state. Good faith acquisition of personal information by an
104	104		employee or agent of an individual or entity for the purposes of the
105	105		individual or the entity is not a breach of the security of the
106	106		system, provided that the personal information is not use d for a
107	107		purpose other than a lawful purpose of the individual or entity or
108	108		subject to further unauthorized disclosure;
109	109		2. “Entity” includes corporations , business trusts, estates,
110	110		partnerships, limited partnerships, limited li ability partnerships,
111	111		limited liability companies, associations, organizations, joint
112	112		ventures, governments, governmental subdivisions, agencies, or
113	113		instrumentalities, or any other legal entity, whether for profit or
114	114		not-for-profit;
115	115		3. “Encrypted” means transformation of data through the use of
116	116		an algorithmic process i nto a form in which there is a low
117	117		probability of assigni ng meaning without u se of a confidential
118	118		process or key, or securing the information by anothe r method that
119	119		renders the data elements unreadable or unusable;
120	120
121		-	SENATE FLOOR VERSION - SB1337 SFLR Page 3
122		-	(Bold face denotes Comm ittee Amendments) 1
	121	+	Req. No. 3538 Page 3 1
123	122		2
124	123		3
125	124		4
126	125		5
127	126		6
128	127		7
129	128		8
130	129		9
131	130		10
132	131		11
133	132		12
134	133		13
135	134		14
136	135		15
137	136		16
138	137		17
139	138		18
140	139		19
141	140		20
142	141		21
143	142		22
144	143		23
145	144		24
146	145
147	146		4. “Financial institution” means any institution the business
148	147		of which is engaging in financial activities as defined by 15
149	148		U.S.C., Section 6809;
150	149		5. “Individual” means a natural person;
151	150		6. “Personal information ” means the an individual’s first name
152	151		or first initial and last name in combination with and linked to any
153	152		one or more of the following data elements that r elate to a resident
154	153		of this state, when the individual if any of the data elements are
155	154		neither not encrypted, nor redacted, or otherwise altered by any
156	155		method or technology in such a manner that the name or data elements
157	156		are unreadable or are encr ypted, redacted, or otherwise altered by
158	157		any method or technology but the keys to unencrypt, unredact, or
159	158		otherwise read the data elem ents have been obtained th rough the
160	159		breach of security:
161	160		a. social security number,
162	161		b. driver license number or state other unique
163	162		identification card number issued in lieu of a driver
164	163		license, or created or collected by a government
165	164		entity,
166	165		c. financial account number, or credit card o r debit card
167	166		number, in combination with any required expiration
168	167		date, security code, access code, or password that
169	168		would permit access to the an individual’s financial
170	169		accounts of a resident account,
171	170
172		-	SENATE FLOOR VERSION - SB1337 SFLR Page 4
173		-	(Bold face denotes Comm ittee Amendments) 1
	171	+	Req. No. 3538 Page 4 1
174	172		2
175	173		3
176	174		4
177	175		5
178	176		6
179	177		7
180	178		8
181	179		9
182	180		10
183	181		11
184	182		12
185	183		13
186	184		14
187	185		15
188	186		16
189	187		17
190	188		18
191	189		19
192	190		20
193	191		21
194	192		22
195	193		23
196	194		24
197	195
198	196		d. unique electronic identifier or routing code in
199	197		combination with any require d security code, access
200	198		code, or password that would permit access to an
201	199		individual’s financial account, or
202	200		e. unique biometric data such as a fingerprint, retina or
203	201		iris image, or other unique physical or digital
204	202		representation of biometric data.
205	203		The term does not include information that is lawfully obtained from
206	204		publicly available information sources, or from federal, state or
207	205		local government records lawfully made available to the general
208	206		public;
209	207		7. “Notice” means:
210	208		a. written notice to the postal address in the records
211	209		of the individual or entity,
212	210		b. telephone notice,
213	211		c. electronic notice, or
214	212		d. substitute notice, if the individual or the entity
215	213		required to provide notice demonstrates that the cost
216	214		of providing notice will exceed Fifty Thousand Dollars
217	215		($50,000.00), or that the affected class of residents
218	216		to be notified exceeds one hundr ed thousand (100,000)
219	217		persons, or that the individual or the entity does not
220	218		have sufficient contact inf ormation or consent t o
221	219		provide notice as described in subparagraph a, b or c
222	220
223		-	SENATE FLOOR VERSION - SB1337 SFLR Page 5
224		-	(Bold face denotes Comm ittee Amendments) 1
	221	+	Req. No. 3538 Page 5 1
225	222		2
226	223		3
227	224		4
228	225		5
229	226		6
230	227		7
231	228		8
232	229		9
233	230		10
234	231		11
235	232		12
236	233		13
237	234		14
238	235		15
239	236		16
240	237		17
241	238		18
242	239		19
243	240		20
244	241		21
245	242		22
246	243		23
247	244		24
248	245
249	246		of this paragraph. Substitute notice consists of any
250	247		two of the following:
251	248		(1) e-mail email notice if the individual or the
252	249		entity has e-mail email addresses for the members
253	250		of the affected class of residents,
254	251		(2) conspicuous posting of the notice on the Internet
255	252		web site website of the individual or the entity
256	253		if the individual or the entity maint ains a
257	254		public Internet web site website, or
258	255		(3) notice to major stat ewide media; and
259	256		8. “Reasonable safeguards” means policies and practices that
260	257		ensure personal information is secure, taking into consideration an
261	258		entity’s size and the type and amount of personal information . The
262	259		term includes but is not limited to conducting r isk assessments,
263	260		implementing technical and physica l layered defenses, employee
264	261		training on handling personal information, and establishing an
265	262		incident response plan ; and
266	263		9. “Redact” means alteration or tru ncation of data such that no
267	264		more than the following are accessible as par t of the personal
268	265		information:
269	266		a. five digits of a social security number, or
270	267		b. the last four digits of a driver license number, state
271	268		unique identification card number created or collected
272	269		by a government entity, or account number.
273	270
274		-	SENATE FLOOR VERSION - SB1337 SFLR Page 6
275		-	(Bold face denotes Comm ittee Amendments) 1
	271	+	Req. No. 3538 Page 6 1
276	272		2
277	273		3
278	274		4
279	275		5
280	276		6
281	277		7
282	278		8
283	279		9
284	280		10
285	281		11
286	282		12
287	283		13
288	284		14
289	285		15
290	286		16
291	287		17
292	288		18
293	289		19
294	290		20
295	291		21
296	292		22
297	293		23
298	294		24
299	295
300	296		SECTION 2. AMENDATORY 24 O.S. 2021, Section 163, is
301	297		amended to read as follows:
302	298		Section 163. A. An individual or entity that owns or licenses
303	299		computerized data that includes personal informat ion shall disclose
304	300		provide notice of any breach of the security of the system following
305	301		discovery determination or notification of the breach of the
306	302		security of the system to any resident of this state whose
307	303		unencrypted and unredacted personal information was or is reasona bly
308	304		believed to have been access ed and acquired by an unauthorized
309	305		person and that causes, or the individual or entity reasona bly
310	306		believes has caused or will cause, ident ity theft or other fraud to
311	307		any resident of this state. Except as provided in subsection D of
312	308		this section or in order to take any measures necessary to determine
313	309		the scope of the breach and to restore the reasonable integrity of
314	310		the system, the disclosure s hall be made without unreasonable delay.
315	311		B. An individual or entity must disclose shall provide notice
316	312		of the breach of the security of the system if encrypted or redacted
317	313		information is accessed and acquired in an unenc rypted or unredacted
318	314		form or if the security breach involves a person with access to the
319	315		encryption key and the ind ividual or entity reasonably believes that
320	316		such breach has caused or will cause identity theft or other fraud
321	317		to any resident of this state.
322	318		C. An individual or entity that ma intains computerized data
323	319		that includes personal information that the individual or entity
324	320
325		-	SENATE FLOOR VERSION - SB1337 SFLR Page 7
326		-	(Bold face denotes Comm ittee Amendments) 1
	321	+	Req. No. 3538 Page 7 1
327	322		2
328	323		3
329	324		4
330	325		5
331	326		6
332	327		7
333	328		8
334	329		9
335	330		10
336	331		11
337	332		12
338	333		13
339	334		14
340	335		15
341	336		16
342	337		17
343	338		18
344	339		19
345	340		20
346	341		21
347	342		22
348	343		23
349	344		24
350	345
351	346		does not own or license shall notify provide notice to the owner or
352	347		licensee of the infor mation of any breach of the sec urity of the
353	348		system as soon as practicable following discovery determination, if
354	349		the personal information was or if the entity reasonably believes it
355	350		was accessed and acquired by an unauthorized person.
356	351		D. Notice required by this section may be delayed if a law
357	352		enforcement agency determines and advi ses the individual or entity
358	353		that the notice will impede a criminal or civil investigation or
359	354		homeland or national security. Notice required by this section must
360	355		be made without unre asonable delay after the law enforcement agen cy
361	356		determines that notification will no longer impede the inve stigation
362	357		or jeopardize national or homeland security.
363	358		E. 1. An individual or entity required to pro vide notice in
364	359		accordance with subsection A, B, or C of this section shall also
365	360		provide notice to the Attorney General o f such breach without
366	361		unreasonable delay but in no event more than sixty (60) days after
367	362		providing notice to impacted resi dents of this state as requir ed by
368	363		this section. The notice shall include the date of the breach, the
369	364		date of its determination, the nature of the breach, the type o f
370	365		personal information exposed, the number of residents of this st ate
371	366		affected, the estimated monetary impact of the br each to the extent
372	367		such impact can be determined, and any reasonable safeguards the
373	368		entity employs.
374	369
375		-	SENATE FLOOR VERSION - SB1337 SFLR Page 8
376		-	(Bold face denotes Comm ittee Amendments) 1
	370	+	Req. No. 3538 Page 8 1
377	371		2
378	372		3
379	373		4
380	374		5
381	375		6
382	376		7
383	377		8
384	378		9
385	379		10
386	380		11
387	381		12
388	382		13
389	383		14
390	384		15
391	385		16
392	386		17
393	387		18
394	388		19
395	389		20
396	390		21
397	391		22
398	392		23
399	393		24
400	394
401	395		2. A breach of a security system where fewer than five hundred
402	396		(500) residents of this state are affected within a single brea ch
403	397		shall be exempt from the n otice requirements of paragraph 1 of this
404	398		subsection.
405	399		3. A breach of a security system maintained by a credit bureau
406	400		where fewer than one thousand (1,000) residents of this state are
407	401		affected within a single breach shall be exempt from the notice
408	402		requirements of paragraph 1 of this subsection.
409	403		F. Any personal information submitted t o the Attorney Gener al
410	404		shall be kept confidential pursuant to Section 24A.12 of Title 51 of
411	405		the Oklahoma Statutes .
412	406		G. The Attorney General may promulgate rules as necessary to
413	407		effectuate the provisions of this se ction.
414	408		SECTION 3. AMENDATORY 24 O.S. 2021, Section 164, is
415	409		amended to read as follows:
416	410		Section 164. A. An individual or entity that maintains its own
417	411		notification procedures as part of an inf ormation privacy or
418	412		security policy for the treatment of personal information an d that
419	413		are consistent with the timing requirements of this act the Security
420	414		Breach Notification Act shall be deemed to be in compliance with the
421	415		notification requirements of this act subsection A, B, or C of
422	416		Section 163 of this title if it the individual or entity notifies
423	417		residents of this state in accordance with its proc edures in the
424	418		event of a breach of security of the system.
425	419
426		-	SENATE FLOOR VERSION - SB1337 SFLR Page 9
427		-	(Bold face denotes Comm ittee Amendments) 1
	420	+	Req. No. 3538 Page 9 1
428	421		2
429	422		3
430	423		4
431	424		5
432	425		6
433	426		7
434	427		8
435	428		9
436	429		10
437	430		11
438	431		12
439	432		13
440	433		14
441	434		15
442	435		16
443	436		17
444	437		18
445	438		19
446	439		20
447	440		21
448	441		22
449	442		23
450	443		24
451	444
452	445		B. The following entities shall be deemed to be in compliance
453	446		with the notification requirements of subsection A, B, or C of
454	447		Section 163 of this title if such entities provide the notice to the
455	448		Attorney General as required by subsection E of Section 163 of this
456	449		title:
457	450		1. A financial institution that c omplies with the notification
458		-	requirements prescribed by the Federal ~~Gramm-Leach-Bliley Act and~~
459		-	~~the federal Interagency Guidance~~ on Response Programs for
460		-	~~Unauthorized Access to Custome r Information~~ and Customer Notice is
461		-	~~deemed to be in compliance with the~~ provisions of this act. ;
	451	+	requirements prescribed by the Federal federal Interagency Guidance
	452	+	on Response Programs for Unauthorized Access to Custome r Information
	453	+	and Customer Notice is deemed to be in compliance with the
	454	+	provisions of this act. ;
462	455		2. An entity that complies with the notification requirements
463	456		prescribed by the Okla homa Hospital Cybersecurity Protection Act of
464	457		2023 or the Health Insurance Portability a nd Accountability Act of
465	458		1996 (HIPAA); and
466	459		3. An entity that complies with the notifica tion requirements
467	460		or procedures pursuant t o the rules, regulation regulations,
468	461		procedures, or guidelines established by the primary or functional
469	462		federal regulator of the entity shall be deemed to be in compliance
470	463		with the provisions of this act .
471	464		SECTION 4. AMENDATORY 24 O.S. 2021, Section 165, is
472	465		amended to read as follows:
473	466		Section 165. A. A violation of this act the Security Breach
474	467		Notification Act that results in injury or loss to residents of this
475	468		state may be enforced by the Attorney General or a district attorney
476	469
477		-	SENATE FLOOR VERSION - SB1337 SFLR Page 10
478		-	(Bold face denotes Comm ittee Amendments) 1
	470	+	Req. No. 3538 Page 10 1
479	471		2
480	472		3
481	473		4
482	474		5
483	475		6
484	476		7
485	477		8
486	478		9
487	479		10
488	480		11
489	481		12
490	482		13
491	483		14
492	484		15
493	485		16
494	486		17
495	487		18
496	488		19
497	489		20
498	490		21
499	491		22
500	492		23
501	493		24
502	494
503	495		in the same manner as an unlawful practice under t he Oklahoma
504	496		Consumer Protection Act.
505	497		B. Except as provided in subsection C D of this section, the
506	498		Attorney General or a district attorney shall have exclu sive
507	499		authority to bring an action and may obtain either actual damages
508	500		for a violation of this act or the Security Breach Notification Act
509	501		and a civil penalty not to exceed One Hundre d Fifty Thousand Dollars
510	502		($150,000.00) per breach of the security of the system or series of
511	503		breaches of a similar natu re that are discovered determined in a
512	504		single investigation or Two Thousand Dollars ($2,000.00) for each
513	505		resident of the state for each breach, whichever is greater, or a
514	506		combination of such actual damages and civil penalty. Civil
515	507		penalties shall be based upon the magnitude of the breach, the
516	508		extent to which the behavio r of the individual or entity contributed
517	509		to the breach, and any failure to provide the notice required by
518	510		Section 163 of this title.
519	511		C. 1. An individual or entity that uses reasonable safeguards
520	512		and provides notice as re quired by Section 163 or 164 of this title
521	513		shall not be subject to civil penalties and may use such compliance
522	514		as an affirmative defense in a civil a ction filed under the Security
523	515		Breach Notification Act.
524	516		2. An individual or entity that fails to use reasonable
525	517		safeguards but provides notice as required by Section 163 or 164 of
526	518		this title shall not be subject to the civil penalty set forth in
527	519
528		-	SENATE FLOOR VERSION - SB1337 SFLR Page 11
529		-	(Bold face denotes Comm ittee Amendments) 1
	520	+	Req. No. 3538 Page 11 1
530	521		2
531	522		3
532	523		4
533	524		5
534	525		6
535	526		7
536	527		8
537	528		9
538	529		10
539	530		11
540	531		12
541	532		13
542	533		14
543	534		15
544	535		16
545	536		17
546	537		18
547	538		19
548	539		20
549	540		21
550	541		22
551	542		23
552	543		24
553	544
554	545		subsection B of this section. Such individuals or entities shall be
555	546		subject to a civil pe nalty of One Hundred Dollars ($100. 00) for each
556	547		resident of this state for each breach not to exceed a total penalt y
557	548		of One Hundred Thousand Dollars ($10 0,000.00).
558	549		C. D. A violation of this act the Security Breach Notification
559	550		Act by a state-chartered or state-licensed financial institution
560	551		shall be enforceable exc lusively by the primary state regulator of
561	552		the financial institution.
562	553		SECTION 5. AMENDATORY 24 O.S. 2021, Section 166, is
563	554		amended to read as follows:
564	555		Section 166. This act The Security Breach Notification Act
565	556		shall apply to the discovery determination or notification of a
566	557		breach of the security of the system th at occurs on or after
567	558		November 1, 2008 January 1, 2025.
568	559		SECTION 6. This act shall become effective January 1, 2025.
569		-	~~COMMITTEE REPORT BY: COMMITTEE ON JUDICIARY~~
570		-	~~February~~ 20, 2024 ~~- DO PASS AS AMENDED BY CS~~
	560	+
	561	+	59-2-3538 TEK 2/20/2024 5:37:46 PM