| 34 | 27 | | |
|---|
| 35 | 28 | | ENGROSSED SENATE |
|---|
| 36 | 29 | | BILL NO. 626 By: Howard of the Senate |
|---|
| 37 | 30 | | |
|---|
| 38 | 31 | | and |
|---|
| 39 | 32 | | |
|---|
| 40 | 33 | | Pfeiffer of the House |
|---|
| 41 | 34 | | |
|---|
| 42 | 35 | | |
|---|
| 43 | 36 | | |
|---|
| 44 | 37 | | |
|---|
| 45 | 38 | | An Act relating to the Security Breach Notification |
|---|
| 46 | 39 | | Act; amending 24 O.S. 2021, Sections 162, 163, 164, |
|---|
| 47 | 40 | | 165, and 166, which relate to definitions, duty to |
|---|
| 48 | 41 | | disclose breach, notice, enforcement, and |
|---|
| 49 | 42 | | application; modifying definitions; requiring notice |
|---|
| 50 | 43 | | of security breach of certain information; requiring |
|---|
| 51 | 44 | | notice to Attorney General under certain |
|---|
| 52 | 45 | | circumstances; specifying contents of required |
|---|
| 53 | 46 | | notice; providing exemptions from certain notice |
|---|
| 54 | 47 | | requirements; requiring confidentiality of certain |
|---|
| 55 | 48 | | information submitted to Attorney General; |
|---|
| 56 | 49 | | authorizing Attorney General to promulgate rules; |
|---|
| 57 | 50 | | clarifying compliance with certain notice |
|---|
| 58 | 51 | | requirements; modifying authorized civil penalties |
|---|
| 59 | 52 | | for certain violations; providing exemptions from |
|---|
| 60 | 53 | | certain liability; limiting liability for violations |
|---|
| 61 | 54 | | under certain circumstances; modifying applicability |
|---|
| 62 | 55 | | of act; updating statutory language; updating |
|---|
| 63 | 56 | | statutory references; and providing an effective |
|---|
| 64 | 57 | | date. |
|---|
| 65 | 58 | | |
|---|
| 66 | 59 | | |
|---|
| 67 | 60 | | |
|---|
| 68 | 61 | | |
|---|
| 69 | 62 | | BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA: |
|---|
| 70 | 63 | | SECTION 1. AMENDATORY 24 O.S. 2021, Section 162, is |
|---|
| 71 | 64 | | amended to read as follows: |
|---|
| 72 | 65 | | Section 162. As used in the Security Breach Notification Act: |
|---|
| 103 | 95 | | information maintained by an individual or entity as part of a |
|---|
| 104 | 96 | | database of personal inf ormation regarding multiple individuals and |
|---|
| 105 | 97 | | that causes, or the individual or entity reasonably believes has |
|---|
| 106 | 98 | | caused or will cause, identity theft or other fraud to any resident |
|---|
| 107 | 99 | | of this state. Good faith acquisition of personal information by an |
|---|
| 108 | 100 | | employee or agent of an individual or entity for the purposes of the |
|---|
| 109 | 101 | | individual or the entity is not a breach of the security of the |
|---|
| 110 | 102 | | system, provided that the personal information is not used for a |
|---|
| 111 | 103 | | purpose other than a lawful purpose of the individual or entity or |
|---|
| 112 | 104 | | subject to further unauthorized disclosure; |
|---|
| 113 | 105 | | 2. “Entity” includes corporations, business trusts, estates, |
|---|
| 114 | 106 | | partnerships, limited partnerships, limited liability partnerships, |
|---|
| 115 | 107 | | limited liability companies, associations, organizations, joint |
|---|
| 116 | 108 | | ventures, governments, governmental subdivisions, agencies, or |
|---|
| 117 | 109 | | instrumentalities, or any other legal entity, whether for profit or |
|---|
| 118 | 110 | | not-for-profit; |
|---|
| 119 | 111 | | 3. “Encrypted” means transformation of data through the use of |
|---|
| 120 | 112 | | an algorithmic process into a form in which there is a low |
|---|
| 121 | 113 | | probability of assigning meaning without use of a confidential |
|---|
| 122 | 114 | | process or key, or securing the information by another method that |
|---|
| 123 | 115 | | renders the data elements unreadable or unusable; |
|---|
| 154 | 145 | | 5. “Individual” means a natural person; |
|---|
| 155 | 146 | | 6. “Personal information ” means the an individual’s first name |
|---|
| 156 | 147 | | or first initial and last name in combination with and linked to any |
|---|
| 157 | 148 | | one or more of the following data elements that relate to a resident |
|---|
| 158 | 149 | | of this state, when the individual if any of the data elements are |
|---|
| 159 | 150 | | neither not encrypted, nor redacted, or otherwise altered by any |
|---|
| 160 | 151 | | method or technology in such a manner that the name or data elements |
|---|
| 161 | 152 | | are unreadable or are encrypted, redacted, or otherwise altered by |
|---|
| 162 | 153 | | any method or technology but the keys to unencrypt, unredact, or |
|---|
| 163 | 154 | | otherwise read the data elements have been obtained through the |
|---|
| 164 | 155 | | breach of security: |
|---|
| 165 | 156 | | a. social security number, |
|---|
| 166 | 157 | | b. driver license number or state other unique |
|---|
| 167 | 158 | | identification card number issued in lieu of a driver |
|---|
| 168 | 159 | | license, or created or collected by a government |
|---|
| 169 | 160 | | entity, |
|---|
| 170 | 161 | | c. financial account number, or credit card or debit card |
|---|
| 171 | 162 | | number, in combination with any required expiration |
|---|
| 172 | 163 | | date, security code, access code, or password that |
|---|
| 173 | 164 | | would permit access to the an individual’s financial |
|---|
| 174 | 165 | | accounts of a resident account, |
|---|
| 204 | 194 | | code, or password th at would permit access to an |
|---|
| 205 | 195 | | individual’s financial account, or |
|---|
| 206 | 196 | | e. unique biometric data such as a fingerprint, retina or |
|---|
| 207 | 197 | | iris image, or other unique physical or digital |
|---|
| 208 | 198 | | representation of biometric data to authenticate a |
|---|
| 209 | 199 | | specific individual. |
|---|
| 210 | 200 | | The term does not include information that is lawfully obtained from |
|---|
| 211 | 201 | | publicly available information sources, or from federal, state or |
|---|
| 212 | 202 | | local government records lawfully made available to the general |
|---|
| 213 | 203 | | public; |
|---|
| 214 | 204 | | 7. “Notice” means: |
|---|
| 215 | 205 | | a. written notice to the postal address in the records |
|---|
| 216 | 206 | | of the individual or entity, |
|---|
| 217 | 207 | | b. telephone notice, |
|---|
| 218 | 208 | | c. electronic notice, or |
|---|
| 219 | 209 | | d. substitute notice, if the individual or the entity |
|---|
| 220 | 210 | | required to provide notice demonstrates that the cost |
|---|
| 221 | 211 | | of providing notice will exceed Fifty Thousand Dollars |
|---|
| 222 | 212 | | ($50,000.00), or that the affected class of residents |
|---|
| 223 | 213 | | to be notified exceeds one hundred thousand (100,000) |
|---|
| 224 | 214 | | persons, or that the individual or the entity does not |
|---|
| 225 | 215 | | have sufficient contact information or consent to |
|---|
| 254 | 243 | | of this paragraph. Substitute notice consists of any |
|---|
| 255 | 244 | | two of the following: |
|---|
| 256 | 245 | | (1) e-mail email notice if the individual or the |
|---|
| 257 | 246 | | entity has e-mail email addresses for the members |
|---|
| 258 | 247 | | of the affected class of residents, |
|---|
| 259 | 248 | | (2) conspicuous posting of the notice o n the Internet |
|---|
| 260 | 249 | | web site website of the individual or the entity |
|---|
| 261 | 250 | | if the individual or the entity maintains a |
|---|
| 262 | 251 | | public Internet web site website, or |
|---|
| 263 | 252 | | (3) notice to major statewide media; and |
|---|
| 264 | 253 | | 8. “Reasonable safeguards ” means policies and practices that |
|---|
| 265 | 254 | | ensure personal information is secure, taking into consideration an |
|---|
| 266 | 255 | | entity’s size and the type and amount of personal information. The |
|---|
| 267 | 256 | | term includes, but is not limited to, conducting risk assessments, |
|---|
| 268 | 257 | | implementing technical and physical layered defenses, employe e |
|---|
| 269 | 258 | | training on handling personal information, and establishing an |
|---|
| 270 | 259 | | incident response plan; and |
|---|
| 271 | 260 | | 9. “Redact” means alteration or truncation of data such that no |
|---|
| 272 | 261 | | more than the following are accessible as part of the personal |
|---|
| 273 | 262 | | information: |
|---|
| 274 | 263 | | a. five digits of a social security number, or |
|---|
| 305 | 293 | | SECTION 2. AMENDATORY 24 O.S. 2021, Section 163, is |
|---|
| 306 | 294 | | amended to read as follows: |
|---|
| 307 | 295 | | Section 163. A. An individual or entity that owns or licenses |
|---|
| 308 | 296 | | computerized data that includes personal information shall disclose |
|---|
| 309 | 297 | | provide notice of any breach of the security of the system following |
|---|
| 310 | 298 | | discovery determination or notification of the breach of the |
|---|
| 311 | 299 | | security of the system to any resident of this state whose |
|---|
| 312 | 300 | | unencrypted and unredacted personal information was or is reasonably |
|---|
| 313 | 301 | | believed to have been accessed and acquired by an unauthorized |
|---|
| 314 | 302 | | person and that causes, or t he individual or entity reasonably |
|---|
| 315 | 303 | | believes has caused or will cause, identity theft or other fraud to |
|---|
| 316 | 304 | | any resident of this state. Except as provided in subsection D of |
|---|
| 317 | 305 | | this section or in order to take any measures necessary to determine |
|---|
| 318 | 306 | | the scope of the breach and to restore the reasonable integrity of |
|---|
| 319 | 307 | | the system, the disclosure shall be made without unreasonable delay. |
|---|
| 320 | 308 | | B. An individual or entity must disclose shall provide notice |
|---|
| 321 | 309 | | of the breach of the security of the system if encrypted or redacted |
|---|
| 322 | 310 | | information is accessed and acquired in an unencrypted or unredacted |
|---|
| 323 | 311 | | form or if the security breach involves a person with access to the |
|---|
| 324 | 312 | | encryption key and the individual or entity reasonably believes that |
|---|
| 356 | 343 | | does not own or license shall notify provide notice to the owner or |
|---|
| 357 | 344 | | licensee of the information of any breach of the security of the |
|---|
| 358 | 345 | | system as soon as practicable following discovery determination, if |
|---|
| 359 | 346 | | the personal information was or if the entity reasonably believes it |
|---|
| 360 | 347 | | was accessed and acquired by an unauthorized person. |
|---|
| 361 | 348 | | D. Notice required by this section may be delayed if a law |
|---|
| 362 | 349 | | enforcement agency determines and advises the individual or entity |
|---|
| 363 | 350 | | that the notice will impede a criminal or civil investigation or |
|---|
| 364 | 351 | | homeland or national security. Notice required by this section must |
|---|
| 365 | 352 | | be made without unreasonable delay after the law enforcement agency |
|---|
| 366 | 353 | | determines that notification will no longer impede the investigation |
|---|
| 367 | 354 | | or jeopardize national or homeland security. |
|---|
| 368 | 355 | | E. 1. An individual or entity required to provide notice in |
|---|
| 369 | 356 | | accordance with subsection A, B, or C of this section shall also |
|---|
| 370 | 357 | | provide notice to the Attorney General of such breach without |
|---|
| 371 | 358 | | unreasonable delay but in no event more than sixty (60) days after |
|---|
| 372 | 359 | | providing notice to impacted residents of this state as required by |
|---|
| 373 | 360 | | this section. The no tice shall include the date of the breach, the |
|---|
| 374 | 361 | | date of its determination, the nature of the breach, the type of |
|---|
| 375 | 362 | | personal information exposed, the number of residents of this state |
|---|
| 406 | 392 | | 2. A breach of a security system where fewer than five hundred |
|---|
| 407 | 393 | | (500) residents of this state are affected within a single breach |
|---|
| 408 | 394 | | shall be exempt from the notice requirements of parag raph 1 of this |
|---|
| 409 | 395 | | subsection. |
|---|
| 410 | 396 | | 3. A breach of a security system maintained by a credit bureau |
|---|
| 411 | 397 | | where fewer than one thousand (1,000) residents of this state are |
|---|
| 412 | 398 | | affected within a single breach shall be exempt from the notice |
|---|
| 413 | 399 | | requirements of paragraph 1 of this subsection. |
|---|
| 414 | 400 | | F. Any personal information submitted to the Attorney General |
|---|
| 415 | 401 | | shall be kept confidential pursuant to Section 24A.12 of Title 51 of |
|---|
| 416 | 402 | | the Oklahoma Statutes. |
|---|
| 417 | 403 | | G. The Attorney General may promulgate rules as necessary to |
|---|
| 418 | 404 | | effectuate the provisions of this section. |
|---|
| 419 | 405 | | SECTION 3. AMENDATORY 24 O.S. 2021, Section 164, is |
|---|
| 420 | 406 | | amended to read as follows: |
|---|
| 421 | 407 | | Section 164. A. An individual or entity that maintains its own |
|---|
| 422 | 408 | | notification procedures as part of an information privacy or |
|---|
| 423 | 409 | | security policy for the treatment of personal information and that |
|---|
| 424 | 410 | | are consistent with the timing requirements of this act the Security |
|---|
| 425 | 411 | | Breach Notification Act shall be deemed to be in compliance with the |
|---|
| 426 | 412 | | notification requirements of this act subsection A, B, or C of |
|---|
| 457 | 442 | | B. The following entities shall be deemed to be in compliance |
|---|
| 458 | 443 | | with the notification requirements of subsection A, B, or C of |
|---|
| 459 | 444 | | Section 163 of this title if such entities provide notice to the |
|---|
| 460 | 445 | | Attorney General as required by subsection E of Section 163 of this |
|---|
| 461 | 446 | | title: |
|---|
| 462 | 447 | | 1. A financial institution that complies with the notification |
|---|
| 463 | 448 | | requirements prescribed by the Federal Gramm-Leach-Bliley Act and |
|---|
| 464 | 449 | | the federal Interagency Guidance on Response Programs for |
|---|
| 465 | 450 | | Unauthorized Access to Customer Information and Customer Notice is |
|---|
| 466 | 451 | | deemed to be in compliance with the provisions of this act. ; |
|---|
| 467 | 452 | | 2. An entity that complies with the notification requirements |
|---|
| 468 | 453 | | prescribed by the Oklahoma Hospital Cybersecurity Protection Act of |
|---|
| 469 | 454 | | 2023 or the Health Insurance Portability and Accountability Act of |
|---|
| 470 | 455 | | 1996 (HIPAA); and |
|---|
| 471 | 456 | | 3. An entity that complies with the notifica tion requirements |
|---|
| 472 | 457 | | or procedures pursuant to the rules, regulation regulations, |
|---|
| 473 | 458 | | procedures, or guidelines established by the primary or functional |
|---|
| 474 | 459 | | federal regulator of the entity shall be deemed to be in compliance |
|---|
| 475 | 460 | | with the provisions of this act . |
|---|
| 476 | 461 | | SECTION 4. AMENDATORY 24 O.S. 2021, Section 165, is |
|---|
| 477 | 462 | | amended to read as follows: |
|---|
| 508 | 492 | | in the same manner as an unlawful practice under the Oklahoma |
|---|
| 509 | 493 | | Consumer Protection Act. |
|---|
| 510 | 494 | | B. Except as provided in subsection C D of this section, the |
|---|
| 511 | 495 | | Attorney General or a district attorney shall have exclusive |
|---|
| 512 | 496 | | authority to bring an action and may obtain either actual damages |
|---|
| 513 | 497 | | for a violation of this act or the Security Breach Notification Act |
|---|
| 514 | 498 | | and a civil penalty not to exceed One Hundred Fifty Thousand Dollars |
|---|
| 515 | 499 | | ($150,000.00) per breach of the security of the system or series of |
|---|
| 516 | 500 | | breaches of a similar nature that are discovered determined in a |
|---|
| 517 | 501 | | single investigation . Civil penalties shall be based upon the |
|---|
| 518 | 502 | | magnitude of the breach, the extent to which the behavior of the |
|---|
| 519 | 503 | | individual or entity contributed to the breach, and a ny failure to |
|---|
| 520 | 504 | | provide the notice required by Section 163 of this title . |
|---|
| 521 | 505 | | C. 1. An individual or entity that uses reasonable safeguards |
|---|
| 522 | 506 | | and provides notice as required by Section 163 or 164 of this title |
|---|
| 523 | 507 | | shall not be subject to civil penalties and may use such compliance |
|---|
| 524 | 508 | | as an affirmative defense in a civil action filed under the Security |
|---|
| 525 | 509 | | Breach Notification Act. |
|---|
| 526 | 510 | | 2. An individual or entity that fails to use reasonable |
|---|
| 527 | 511 | | safeguards but provides notice as required by Section 163 or 164 of |
|---|
| 528 | 512 | | this title shall not be subject to the civil penalty set forth in |
|---|
| 558 | 541 | | C. D. A violation of this act the Security Breach Notification |
|---|
| 559 | 542 | | Act by a state-chartered or state-licensed financial institution |
|---|
| 560 | 543 | | shall be enforceable exclusively by the primary state regulator of |
|---|
| 561 | 544 | | the financial institution. |
|---|
| 562 | 545 | | SECTION 5. AMENDATORY 24 O.S. 2021, Section 166, is |
|---|
| 563 | 546 | | amended to read as follows: |
|---|
| 564 | 547 | | Section 166. This act The Security Breach Notification Act |
|---|
| 565 | 548 | | shall apply to the discovery determination or notification of a |
|---|
| 566 | 549 | | breach of the security of the system that occurs on or after |
|---|
| 567 | 550 | | November 1, 2008 January 1, 2026. |
|---|
| 568 | 551 | | SECTION 6. This act shall become effective January 1, 2026. |
|---|