North Dakota recently enacted an amendment that will again tighten its existing breach notification law. The current law, North Dakota Century Code Section 51-30 et. seq., has evolved over time, having been previously amended in 2013 to add health information to the definition of “personal information” that could trigger a notification if breached. This new amendment may be a result of recent large data breaches and a concern that existing law did not require notification of the Attorney General or notification to residents if a company was not “conducting business” in North Dakota.
The amendment broadens the reach of the existing breach notification law by requiring a company to notify affected North Dakota residents regardless of whether the company operates in North Dakota. And for large breaches that impact more than 250 individuals, the Attorney General must now be notified by mail or e-mail. The definition of “personal information” has been updated again – this time to add an employer’s identification number assigned to an individual in combination with any required security code, access code, or password. The amendment will take effect on August 1, 2015.