The Oklahoma State Legislature recently enacted Senate Bill 626, which significantly amends its existing Security Breach Notification Act for businesses. This important legislative amendment, set to become effective on January 1, 2026, aims to address identified gaps within the state’s current cybersecurity framework. The new law notably includes several key changes, such as updated definitions for crucial terms related to various data security incidents. It also now mandates specific reporting of data breaches directly to the state Attorney General and clarifies complex compliance requirements. Additionally, the Amendment provides for revised penalty provisions for any non-compliance, including the possibility of establishing certain affirmative legal defenses.
The Amendment provides much clearer definitions for essential terms related to security breaches, specifying what now officially constitutes “personal information.”
The existing definition for “Personal Information” was notably expanded by lawmakers to also include unique electronic identifiers or routing codes for accounts. It further includes various types of unique biometric data like fingerprints or retina images used to authenticate a specific individual’s identity. “Reasonable safeguards” are now specifically defined as policies and practices ensuring personal information security, considering an entity’s size and data type.
These defined safeguards importantly include conducting thorough risk assessments, implementing layered technical and physical defenses, and also establishing an incident response plan.
Starting in the new year, all entities that are required to provide notice to impacted individuals must also notify the Oklahoma Attorney General. This important notification to the Attorney General must include very specific details, such as the type of personal information that was impacted. It must also clearly detail the precise nature of the security breach, the total number of impacted individuals, and any employed safeguards. This crucial Attorney General notification must occur no more than sixty days after the entity has notified all of the affected residents. However, certain data breaches affecting fewer than 500 residents, or fewer than 1,000 residents for any credit bureaus, are exempt. An exception from individual notification is also provided for entities that comply with existing specific healthcare data protection laws if they notify the AG.
To adequately prepare for these new impending legal requirements, various entities should now conduct a thorough inventory of all the data they collect. This detailed inventory will effectively help them determine what personal information is gathered, especially considering the newly covered data elements under this law. Businesses also urgently need to reevaluate and subsequently update their current information security policies and various operational procedures to ensure full compliance. This comprehensive review ensures that proper “reasonable safeguards,” as clearly defined in the Amendment, are effectively in place to protect sensitive data. Moreover, to ensure that an entity’s policies and procedures remain reasonably designed over time, they should be periodically reviewed and updated by them.
Reference:
