Covington and Burling writes:
Oklahoma recently enacted Senate Bill 626, which substantially amends the state’s data breach notification law to broaden the scope of notification obligations and add a new regulator notification requirement along with a new “safe harbor”-style provision that provides liability protections if certain security measures are implemented. The changes to Oklahoma’s law follow changes to other state data breach notification laws within the past year, including New York’s addition of a 30-day deadline for notice to individuals (added in early 2025) and Pennsylvania’s addition of a regulator notification requirement and obligations to provide free credit monitoring (added in mid-2024). Key updates from Oklahoma’s bill, which will go into effect on January 1, 2026, are discussed in further detail below.
One of the significant changes the law firm describes:
Affirmative Defense for “Reasonable Safeguards.” While Oklahoma’s existing data breach notification law provides for civil penalties of up to $150,000 per breach for violations of the law, the bill states that entities that use “reasonable safeguards” and provide notice in accordance with the statute will not be subject to civil penalties and can use such compliance as an affirmative defense in civil actions filed under the statute. Reasonable safeguards are defined as “policies and practices that ensure personal information is secure, taking into consideration an entity’s size and the type and amount of personal information.” (This affirmative defense could be construed narrowly, since it may be challenging to demonstrate that safeguards are “reasonable” where they must “ensure personal information is secure[.]”) Further, the bill states that the term includes, but is not limited to, “conducting risk assessments, implementing technical and physical layered defenses, employee training on handling personal information, and establishing an incident response plan.” If an entity fails to use reasonable safeguards but provides notice in accordance with the law, civil penalties will be capped at $75,000 plus actual damages.
Read more at Inside Privacy.
