View Page As PDF
Share Button
Tweet Button

Effective August 1, 2013, North Dakota House Bill 1435 modified North Dakota’s “Notice of Security Breach for Personal Information statute” definitions section, codified as N.D. Century Code, section 51-30-01.  This section was modified by way of addition.  “Health insurance information” and “medical information” have been added to expand the definition of “personal information.”  “Health insurance information” means, “an individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.”  “Medical Information” means, “any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.”

This is significant because now an entity that experiences a data breach involving an individual’s first name or first initial and last name combined with what is defined as “health insurance information” or “medical information,” must comply with North Dakota’s notification requirements.  Specifically, North Dakota requires any entity that owns or licenses computerized data, that conducts business in North Dakota, and that experiences a data breach that includes “personal information,” to notify the person whose information was acquired by an unauthorized person of the breach in the “most expedient time possible and without unreasonable delay.”  Additionally, any entity that maintains computerized data and experiences a breach that includes “personal information,” is required to notify the person whose information was acquired by an unauthorized person “immediately following discovery [of the breach].” 

Failure to comply with the above notification requirements can result in the imposition of an array of penalties courtesy of the North Dakota Attorney General.  Penalties can include, an injunction, an order appointing a receiver to oversee assets, a cease and desist order, a civil penalty (up to $5,000.00) for failure to comply with the cease and desist order, attorney's fees, investigation fees, costs, and expenses of any investigation and action brought by the Attorney General.