Articles

By Daniel Beizaie

Oklahoma S.B. 626 amended the state’s Security Breach Notification Act and requires the prompt disclosure of data breaches to affected individuals.

The amendments take effect on January 1, 2026, and apply to security breaches on or after that date.

• Oklahoma S.B. 626 imposes data security breach notification requirements on the Insights Industry when identity theft is foreseeable, on par with other states, with the rarer benefit of an affirmative defense against fines and legal action if the affected entity had “reasonable safeguards.”

An entity that owns or licenses computerized data that includes personal information must provide notice of any breach of the security of a system without “unreasonable” delay to any Oklahoma resident whose information, in an unencrypted or unredacted form, has been accessed, or is reasonably believed to have been accessed, without authorization and that access causes, or is reasonably believed to cause, identity theft or other fraud. The entity must also provide notice to the Attorney General (AG) of Oklahoma.

An entity that maintains or licenses computerized data that includes personal information that they do not own must provide notice of any breach of the security of a system to the information’s owner or licensee. The entity must also provide notice to the Oklahoma AG.

These two aforementioned notice requirements do not apply to breaches of the security of a system affecting less than 500 Oklahoma residents (1,000 such residents If the system is maintained by a credit bureau).

Any information submitted to the Oklahoma AG would be confidential under state law.

An entity that adheres to its own privacy or security notification procedures is considered compliant with Oklahoma S.B. 626’s notification rules, if their procedures adhere to the timing requirements of Oklahoma S.B. 626 and they notify affected residents in accordance with their procedures in the event of a breach of the security of a system.

Exempt from Oklahoma S.B. 626 are:

• Financial institutions compliant with federal regulations and guidelines;
• Entities compliant with HIPAA or an Oklahoma hospital cybersecurity law; and
• Entities compliant with the notification requirements and procedures established by their “primary or functional federal regulator.”

A violation of Oklahoma S.B. 626 that results in loss or injury to Oklahoma residents would be treated as a violation of the Oklahoma Consumer Protection Act. The Oklahoma AG has exclusive authority to enforce Oklahoma S.B. 626 and can recover actual damages and a fine of up to $150,000 per breach of the security of a system. An entity that uses “reasonable safeguards” and is compliant with Oklahoma S.B. 626’s notification requirements would not be subject to a fine and could use its compliance as an affirmative defense in a civil action filed under Oklahoma S.B. 626. If an entity does not use “reasonable safeguards” but adheres to Oklahoma S.B. 626’s notification requirements, they would be subject to actual damages and a fine of up to $75,000.

The law defines a “breach of the security of a system” as “the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state. Good faith acquisition of personal information by an employee or agent of an individual or entity for the purposes of the individual or the entity is not a breach of the security of the system, provided that the personal information is not used for a purpose other than a lawful purpose of the individual or entity or subject to unauthorized disclosure”

“Personal information” is defined as “an individual’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or are encrypted, redacted, or otherwise altered by any method or technology but the keys to unencrypt, unredact, or otherwise read the data elements have been obtained through the breach of security:”

1. “social security number,”
2. “driver license number or other unique identification created or collected by a government entity,”
3. “financial account number, or credit card or debit card number, in combination with any required expiration date, security code, access code, or password that would permit access to an individual’s financial account,”
4. unique electronic identifier or routing code in combination with any required security code, access code, or password that would permit access to an individual’s financial account, or”
5. “unique biometric data such as a fingerprint, retina or iris image, or other unique physical or digital representation of biometric data to authenticate a specific individual.”

The definition of “personal information” excludes “information that is lawfully obtained from publicly available sources, or from federal, state or local government records lawfully made available to the general public.”

“Notice” is defined as:

1. “written notice to the postal address in the records of the individual or entity,”
2. “telephone notice,”
3. “electronic notice, or”
4. “substitute notice, if the individual or the entity required to provide notice demonstrates that the cost of providing notice will exceed Fifty Thousand Dollars ($50,000.00), or that the affected class of residents to be notified exceeds one hundred thousand (100,000) persons, or that the individual or the entity does not have sufficient contact information or consent to provide notice as described in subparagraph a, b, or c of this paragraph. Substitute notice consists of any two of the following:”
   1. “email notice if the individual or the entity has email addresses for the members of the affected class of residents,”
   2. “conspicuous posting of the notice on the Internet website of the individual or the entity if the individual or the entity maintains a public Internet website, or”
   3. “notice to major statewide media.”

The law defines “reasonable safeguards” as “policies and practices that ensure personal information is secure, taking into consideration an entity’s size and the type and amount of personal information. The term includes, but is not limited to, conducting risk assessments, implementing technical and physical layered defenses, employee training on handling personal information, and establishing an incident response plan.”

Oklahoma Sen. Brent Howard (R-38) sponsored S.B. 626, and Oklahoma Rep. John Pfeiffer (R-38) sponsored its House companion. S.B. 626 passed the legislature with a bipartisan majority. The law was enacted on May 28, 2025, after Oklahoma Governor Kevin Stitt (R) did not act on S.B. 626 within five days.

-             Daniel Beizaie, a government affairs intern at the Insights Association for summer 2025, is a student at Baylor University.

This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.