The Hunton Andrews Kurth law firm has posted a summary of new law in North Dakota that affects financial corporations:
On April 11, 2025, the North Dakota governor signed H.B. 1127 (the “Act”), which establishes new data security measures and breach notification obligations for financial corporations. Covered entities include those that are regulated by the North Dakota Department of Financial Institutions and exclude financial institutions, such as banks, and credit unions.
The key requirements for data security, which the article lists, mirror requirements under the federal Gramm-Leach-Bliley Act Safeguards Rule.
The Act also imposes new requirements regarding security incidents (i.e., “notification events”). A “notification event” means the acquisition of unencrypted customer information without the authorization of the individual to which the information pertains. Financial corporations must notify the Department of Financial Institutions as soon as possible and no later than 45 days after discovering a notification event that involves the information of at least 500 consumers. Notably, the Act specifies that a notification event “must be treated as discovered on the first day when the event is known to the financial corporation. A financial corporation is deemed to have knowledge of a notification event if the event is known to any employee, officer, or other agent of the financial corporation, other than the person committing the breach.” The Act will take effect on August 1, 2025.
Source: Hunton Andrews Kurth
