Oklahoma Statutes 24 § 161et seq
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
“Breach of the security of a system” means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state. Good faith acquisition of personal information by an employee or agent of an individual or entity for the purposes of the individual or the entity is not a breach of the security of the system, provided that the personal information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure."
When is notice required?
Notice is required for all affected residents "...without unreasonable delay" but there are exceptions to restore the system and law enforcement concerns. Notice may be written, electronic, telephonic, or via "substitute notice" procedures, depending on circumstances. There are no requirements for the content of the notice.
What are the penalties for non-compliance?
Violations have their own section of the law, § 165 which reads as follows:
"A. A violation of this act that results in injury or loss to residents of this state may be enforced by the Attorney General or a district attorney in the same manner as an unlawful practice under the Oklahoma Consumer Protection Act.
B. Except as provided in subsection C of this section, the Attorney General or a district attorney shall have exclusive authority to bring action and may obtain either actual damages for a violation of this act or a civil penalty not to exceed One Hundred Fifty Thousand Dollars ($150,000.00) per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation.
C. A violation of this act by a state-chartered or state-licensed financial institution shall be enforceable exclusively by the primary state regulator of the financial institution."