North Dakota recently amended its data breach notification law to require any person or entity – and not just those who conduct business in the state, as previously drafted – to disclose a security breach to affected North Dakota residents. Most notably, though, the amendment also adds a state attorney general notification requirement if the breach affects more than 250 individuals. 

North Dakota recently amended its data breach notification law to require any person or entity – and not just those who conduct business in the state, as previously drafted – to disclose a security breach to affected North Dakota residents. Most notably, though, the amendment also adds a state attorney general notification requirement if the breach affects more than 250 individuals. The amendment also narrows a category of “personal information” that would trigger a notification obligation; under the amended law, employee identification numbers will qualify as triggering “personal information” only when they are “in combination with any required security code, access code, or password[.]” The amendment is effective August 1, 2015.

In addition, effective July 1, 2015, Nevada’s data breach notification law has been amended to add to the definition of triggering personal information 1) a medical or health insurance identification number; and 2) a user name, unique identifier, or e-mail address in combination with a password or code that would permit access to an online account.

TIP: Following similar amendments recently passed in Washington and Montana, North Dakota becomes the most recent state to require notification to state authorities in the event of a breach, continuing the trend of states’ increased involvement in the data security of their residents.