On February 6, 2024, Senate Bill 1337 establishing the security breach notification act was referred to the Senate Committee on Judiciary for its second reading, following its first reading on February 5, 2024.

What are the main provisions of the bill?

The bill, introduced on December 14, 2023, amends Sections 162, 163, 164, 165, and 166 of Title 24 of the Oklahoma Statutes (O.S.) relating to security breach notifications.

The bill introduces new definitions including 'reasonable safeguards,' and 'restricted information.' Notably, restricted information is defined as any non-personal information about an individual, that alone or in combination with other information including personal information, can be used to distinguish or trace the identity of the individual or that is linked or linkable to the individual, if such information is not encrypted, redacted, or altered by any method or technology in such a manner that the information is unreadable, and the breach of which is likely to result in a material risk of identity theft or other fraud to person or property.

Moreover, Section 163 of Title 24 O.S. is amended to include the following new sections:

• an individual or entity required to provide notice shall also provide notice to the Attorney General of Oklahoma (AG) of such breach without unreasonable delay but in no event more than 60 days after discovery of the breach. The notice shall include the date of the breach, the date of its discovery, the nature of the breach, the type of personal information or restricted information exposed, the number of individuals affected, and the estimated monetary impact of the breach to the extent such impact can be determined;
• a breach of a security system where fewer than 250 persons are affected within a single breach shall be exempt from the notice requirements;
• a breach of a security system maintained by a credit bureau where less than 1,000 persons are affected within a single breach shall be exempt from the notice requirements;
• any personal or restricted information submitted to the AG shall be kept confidential pursuant to Section 24A.12 of Title 51 of the O.S.; and
• the AG may promulgate rules as necessary to effectuate the provisions of the bill.

Enforcement by AG

Regarding enforcement, Section 165(B) of Title 24 O.S. is amended to grant exclusive authority to the AG or a district attorney to bring an action for a violation of the bill. Penalties may include actual damages and a civil penalty not exceeding $150,000 per breach or $2,000 per individual per breach, whichever is greater. The determination of civil penalties considers the breach's magnitude, the entity's contribution to the breach, and compliance with the notice requirements outlined in Section 163 of Title 24 O.S.

You can read the bill here and track its progress here.