Quick Facts
Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Without unreasonable delay
Government Notification Required: No
Scope of this Summary:
Notification requirements applicable to individuals or entities that own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification not required if covered entity reasonably believes that breach has not and will not cause identity theft or other fraud to any Oklahoma resident.
Breach Defined
Unauthorized access and acquisition that compromises the security or confidentiality of the covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted or redacted so long as encryption key was not accessed or acquired.
Form of Covered Info
Electronic Only
Covered Info
The first name or first initial and last name in combination with and linked to any one or more of the following data elements:
- Social Security number.
- Driver's license number or state identification card number issued in lieu of a driver's license.
- Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to the financial accounts of a resident.
- Personal information does not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
Consumer Notice Timing
Must be made without unreasonable delay, consistent with any measures to determine the scope of the breach and to restore the reasonable integrity of the system.
Consumer Notice Method
By written notice, telephone notice, or electronic notice if consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
Oklahoma's general breach notification statute does not set out specific content requirements for the notice to affected persons.
Delayed Notice
Notification may be delayed if law enforcement determines and advises that notification will impede a criminal or civil investigation or homeland or national security.
Government Notice
The Oklahoma general breach notification statute does not require notice to any government or regulatory agencies.
Consumer Reporting Agency Notice
The Oklahoma general breach notification statute does not require notice to Consumer Reporting Agencies.
Exceptions for Other Laws
A financial institution that complies with the notification requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (70 Fed. Reg. 15,736 (March 29, 2005)).
Third-Party Notice
If you maintain covered info on behalf of another entity, you must notify it as soon as practicable following discovery of a breach.
Private Right of Action
Oklahoma's general breach notification statute does not provide for a private right of action.
Potential Penalties
Violations may result in civil penalties.
This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.
Last revised on June 15, 2023