North Dakota recently amended its data breach notification law to clarify that the obligation to notify individuals of a breach applies to any entity that “owns or licenses” personal information of the residents of North Dakota. Previously, the obligation to report a breach only applied to those “that conduct[ ] business in the state.” In addition, the amendment adds an obligation to notify the Attorney General of a breach if more than 250 individuals are affected.
The 2015 amendment also narrows the notification requirement for breaches of employer identification numbers by qualifying that notification is only required when there is a breach of such numbers in combination with any required security code, access code or password. This follows a 2013 amendment in which the state expanded the definition of “personal information” covered by the data breach statute to include medical information and health insurance information.
The revisions to the statute take effect on August 1, 2015.