North Dakota Privacy Laws
Mandated Timeframe
Without unreasonable delay
Violations
Up to $5,000 per violation
REGULATION LEVELS
 Breach Reporting |
Consumer Notifications |
|---|---|
| Vendor Management |
 Vendor Contract Required |
LEVEL DESCRIPTION
| Minimal |
Basic |
 Comprehensive |
 Extensive |
|---|
Mandated Timeframe
Without unreasonable delay
Violations
Up to $5,000 per violation
REGULATION LEVELS
| Breach Reporting |
Consumer Notifications |
|---|---|
| Vendor Management |
Vendor Contract Required |
LEVEL DESCRIPTION
| Minimal |
Basic |
Comprehensive |
Extensive |
|---|
Mandated Timeframe
Without unreasonable delay
Violations
Up to $5,000 per violation
REGULATION LEVELS
| Breach Reporting |
Consumer Notifications |
|---|---|
| Vendor Management |
Vendor Contract Required |
LEVEL DESCRIPTION
| Minimal |
Basic |
Comprehensive |
Extensive |
|---|
North Dakota Privacy Law Information
-
Definition of Personal Information
“Personal information” means an individual’s first name or first initial and last name in combination with any of the following data elements, when the name and the data elements are not encrypted: social security number; driver’s license number; non-driver color photo identification card; financial account number, credit or debit card number in combination with required security code or password that would permit access to individual’s financial account; date of birth; maiden name; medical information; health insurance information; employer issued identification number with required security code or password; or digitized or electronic signature.
-
Breach Reporting
There are specific considerations when determining if a breach is reportable. If notification is required to more than 250 persons, the state Attorney General must be notified either by mail or email.
-
Consumer Notification
If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
-
Vendor/Third Parties
Vendors must notify Organizations upon discovery of a breach or suspected breach. The Organization is responsible for submitting any required regulatory reporting and consumer notifications.
-
Industry Specific Laws
North Dakota passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Effective July 1, 2021, licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days.
-
Fines & Penalties
Organizations may be fined or penalized for Vendor violations. In addition to monetary civil penalties, the Attorney General may obtain injunctive relief through an action in a district court.
North Dakota