North Dakota

See the Summary of U.S. State Data Breach Maps

Quick Facts

Breach Based on Harm Threshold: No
Deadline for Consumer Notice: Most expedient time possible and without unreasonable delay
Government Notification Required: Yes, if > 250 individuals affected

N.D. Cent. Code § 51-30-01 -- 07

Scope of this Summary:

Notification requirements applicable to persons who own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.

Risk of Harm Threshold

The notification obligation is not subject to a risk assessment.

Breach Defined

Unauthorized acquisition of computerized data when access to personal information has not been secured by encryption or by any other method or technology, excluding certain good-faith acquisitions by employees or agents.

Encryption Safe Harbor

Statute does not apply to information that is secured by encryption or any other method or technology that renders the covered info unreadable or unusable.

Form of Covered Info

Electronic Only

Covered Info

An individual's first name or first initial and last name in combination with any of the following data elements:

  • The individual's Social Security number.
  • The operator's license number assigned to an individual by the department of transportation under section 39-06-14.
  • A non-driver color photo identification card number assigned to the individual by the department of transportation under section 39-06-03.1.
  • The individual's financial institution account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial accounts.
  • The individual's date of birth.
  • The maiden name of the individual's mother.
  • Medical information, meaning any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional.
  • Health insurance information, meaning an individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
  • An identification number assigned to the individual by the individual's employer in combination with any required security code, access code, or password.
  • The individual's digitized or other electronic signature.

Consumer Notice Timing

Must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the integrity of the system.

Consumer Notice Method

By written notice or electronic notice if consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.

Consumer Notice Content

The North Dakota general breach notification and insurance data security statutes do not set out specific content requirements for the notice to affected persons and consumers.

Delayed Notice

Notification may be delayed if law enforcement determines notice will impede a criminal investigation.

Government Notice

Must notify without unreasonable delay the Attorney General via mail or email of any breach that affects more than 250 individuals.

Consumer Reporting Agency Notice

The North Dakota general breach notification and insurance data security statutes do not require notice to credit reporting agencies.

Exceptions for Other Laws

The statute includes certain exceptions for entities that are subject to the breach notification requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Third-Party Notice

If you maintain covered info on behalf of another entity, you must notify it immediately following discovery of a breach.

Private Right of Action

The North Dakota general breach notification does not provide for a private right of action.

Potential Penalties

Violations may result in civil penalties.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on June 15, 2023