Last week, Senate Bill 2214 was passed which makes three significant updates to breach notification laws in North Dakota, changing elements of subsection 4 of section 51- 30-01 and section 51-30-02 of the North Dakota Century Code.
When the new law becomes enforceable on August 1, 2015, any individual or organization that conducts business inside the state will be required to issue breach notification letters to all North Dakota residents in the event of a data breach involving personal information and any one sensitive data element.
The state attorney general also need to be notified of data breach that exposes or discloses the personal information of more than 250 individuals, with this threshold also applying to consumer breach notification letters.
The data element definitions have been extended as part of the update to include unique identification numbers used by healthcare organizations to identify patients. The definition expansion also includes medical identity numbers, insurance or health plan ID numbers and login and usernames, although a breach of this data is only reportable if this data is exposed, viewed, copied or disclosed along with passwords and/or security and access codes.
The full list of data covered under the new breach notification laws in North Dakota are listed below. When these data elements are exposed along with personal information – first name or initial and surname – patients and the state attorney general must be notified “in the most expedient time possible and without unreasonable delay.”
This information does not include any data that is publically available.
Data breaches are reportable if they affect more than 250 individuals and involve the disclosure of personal information and any of the following data elements:
- Social Security number
- Department of Transport license number
- Non-driver color photo identification card number
- Financial institution account number
- Debit and credit card numbers along with security codes and/or passwords to financial accounts
- Date of birth
- Mother’s maiden name
- Health insurance details
- Employer assigned unique id number in combination with access codes
- Digital/electronic signatures
With the volume of data breaches rising, many states are deciding to increase the regulations covering the data breach response, the time scale for issuing breach notices and to whom they need to be sent. A fast response to a data breach is essential if damage is to be limited, and by forcing companies – and individuals – to act faster, consumers should be better protected.