North Dakota Code § 51-30-01 et seq
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
“Breach of the security system” means unauthorized acquisition of computerized data when access to personal information has not been secured by encryption or by any other method or technology that renders the electronic files, media, or databases unreadable or unusable. Good-faith acquisition of personal information by an employee or agent of the person is not a breach of the security of the system, if the personal information is not used or subject to further unauthorized disclosure."
When is notice required?
Notice is required for all affected residents, and the Attorney General if over 250 residents get notice, "...in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement... or any measures necessary to determine the scope of the breach and to restore the integrity of the data system." Notice may be written, electronic, or via "substitute notice" procedures, depending on circumstances. There are no specifications on the content of the notice.
What are the penalties for non-compliance?
Violations have their own section of the law, § 51-30-07, which reads as follows:
"The attorney general may enforce this chapter. The attorney general, in enforcing this chapter, has all the powers provided in chapter 51-15 and may seek all the remedies in chapter 51-15. A violation of this chapter is deemed a violation of chapter 51-15. The remedies, duties, prohibitions, and penalties of this chapter are not exclusive and are in addition to all other causes of action, remedies, and penalties under chapter 51-15, or otherwise provided by law."
§ 51-15 is the chapter in North Dakota Code on "Unlawful Sales or Advertising Practices."