Bill > SB626

This bill updates Oklahoma's Security Breach Notification Act to enhance data protection and breach reporting requirements. The legislation expands the definition of "personal information" to include more specific data elements like biometric data and unique electronic identifiers, and introduces a new concept of "reasonable safeguards" that requires organizations to implement comprehensive data protection practices. The bill mandates that entities experiencing a security breach must provide notice to affected individuals and, in most cases, to the Attorney General within 60 days, with detailed reporting requirements including the date of breach, nature of the incident, and types of personal information exposed. Notably, smaller breaches affecting fewer than 500 state residents or 1,000 residents in the case of credit bureaus are exempt from certain notification requirements. The bill also clarifies compliance procedures for different types of entities like financial institutions and healthcare organizations, and establishes a graduated penalty system that considers the magnitude of the breach and an organization's preventative efforts, with potential civil penalties up to $150,000 per breach. The new law will become effective on January 1, 2026, giving organizations time to prepare and implement the required safeguards and notification procedures.

Budget and Finance, Transportation and Infrastructure

http://www.oklegislature.gov/BillInfo.aspx?Bill=sb626&Session=2600