There are specific considerations when determining if a breach is reportable. If notification is required to more than 250 persons, the state Attorney General must be notified either by mail or email.

If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

Organizations may be fined or penalized for Vendor violations. In addition to monetary civil penalties, the Attorney General may obtain injunctive relief through an action in a district court.

North Dakota passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Effective July 1, 2021, licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days.

“Personal information” means an individual’s first name or first initial and last name in combination with any of the following data elements, when the name and the data elements are not encrypted: social security number; driver’s license number; non-driver color photo identification card; financial account number, credit or debit card number in combination with required security code or password that would permit access to individual’s financial account; date of birth; maiden name; medical information; health insurance information; employer issued identification number with required security code or password; or digitized or electronic signature.

Vendors must notify Organizations upon discovery of a breach or suspected breach. The Organization is responsible for submitting any required regulatory reporting and consumer notifications.