North Dakota Gov. Kelly Armstrong recently signed into law House Bill 1127 which is nearly identical to the Gramm-Leach-Bliley Act Safeguards Rule, including the more recent amendments regarding data breach notifications. The law will go into effect Aug. 1, 2025.
APPLICABILITY
The law applies to applies to “financial corporations,” which are “all entities regulated by the department of financial institutions, excluding financial institutions and credit unions.” That includes:
- Collection agencies;
- Debt settlement service providers;
- Deferred presentment (payday) service providers;
- Money brokers;
- Money transmitters;
- Mortgage loan originators; and
- Mortgage loan servicers.
SIMILARITY
Commissioner Lisa Kruse testified that the Department of Financial Institutions wanted to have the same cybersecurity protection authority over nonbank financial institutions as the federal government. She went on to say:
This bill is a Model Law that will add the FTC Safeguards rule into state statute, and the reason why this would be needed in state statute is due to the lack of clarity whether we as a state can enforce compliance with the federal rules directly. We may identify failures in compliance during our exams and by adopting this Model Law, we are provided then with enforcement authority and the ability to address specific needs such as data breach notifications. It is important to note that this statute does not create any additional burden or rules for the industry because these companies are already subject to those.
That appears to be largely accurate as the definitions, standards for safeguarding customer information, and security program elements are nearly identical to those in the Safeguards Rule.
DATA BREACH NOTIFICATIONS
Like the Safeguards Rule, the North Dakota law requires notice if a notification event “involves the information of at least five hundred consumers,” though the notice is to the Commissioner rather than the Federal Trade Commission.
The definition of “consumer” is not limited to residents, and is defined, in part, as “an individual, or that individual’s legal representative, who applies for or has obtained a financial product or service from a financial corporation,” i.e., from an entity “regulated by the department of financial institutions, excluding financial institutions and credit unions.”
It should be noted that North Dakota’s data breach notification statutes, N.D. Cent. Code § 51-30-01, et seq., still apply and require notification to residents, as well as to the attorney general if the breach affects more than 250 individuals.
IMPRESSIONS
As Commissioner Kruse noted, the financial corporations subject to this law are currently subject to, and should already be complying with, the GLBA Safeguards Rule. Thus, compliance burdens should be minimal. However, the new law will subject financial corporations, as defined, to additional scrutiny regarding the sufficiency of their implementation and maintenance of the Safeguard Rule’s requirements.
Photo: Steve Cukrov/stock.adobe.com
