Press "Enter" to skip to content
OK City Capitol Building

Oklahoma Amends its Security Breach Notification Act

Published June 9, 2025 by Eric Rosenkoetter

OK City Capitol BuildingOklahoma Senate Bill 626, which amends Oklahoma’s Security Breach Notification Act, recently became law without the Governor’s signature. The legislation will go into effect Jan. 1, 2026.

The amendments include expansion of the definition of “personal information” by including, in combination with an individual’s first name or initial and last name,:

  • any required expiration date in combination with a financial account number or credit or debit card number;
  • a unique electronic identifier or routing code in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or
  • a unique biometric data such as a fingerprint, retina or iris image, or other unique physical or digital representation of biometric data to authenticate a specific individual.

If a breach of a security system affects 500 or more residents, notification to the Attorney General is required within 60 days and must include:

  • the date of the breach;
  • the date of its determination;
  • the nature of the breach;
  • the type of personal information exposed;
  • the number of residents affected;
  • the estimated monetary impact of the breach; and
  • any reasonable safeguards the entity employs.

Currently, the Act provides for civil penalties not to exceed $150,000, and the amendments state that “[c]ivil penalties shall be based upon the magnitude of the breach, the extent to which the behavior of the individual or entity contributed to the breach, and any failure to provide the notice required by Section 163 of this title.”

The amendments also address the using, and failing to use, reasonable safeguards. “Reasonable safeguards” are defined as “policies and practices that ensure personal information is secure, taking into consideration an entity’s size and the type and amount of personal information. The term includes, but is not limited to, conducting risk assessments, implementing technical and physical layered defenses, employee training on handling personal information, and establishing an incident response plan.”

The amendments provide that an individual or entity that uses reasonable safeguards and provides proper breach notifications will not be subject to civil penalties and will have an affirmative defense. On the other hand, failure to use reasonable safeguards can result in a civil penalty of $75,000, provided the breach notification requirements are met. In either case, if the notification requirements are not met, then the higher $150,000 civil penalty cap applies.

Photo: Dennis MacDonald/stock.adobe.com

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, and is focused on advising clients with respect to federal and state consumer financial protection laws and data privacy and security, and he is a Certified Information Privacy Professional though the International Association of Privacy Professionals. He also brings to the table experience as a litigator, chief compliance and ethics officer, director of legislative affairs, federal lobbyist, and administrative hearings officer. Eric earned his Juris Doctor from Washington University School of Law, and his Bachelor of Business Administration from Southern Methodist University. He is a member of the International Association of Privacy Professionals, the Receivables Management Association International (RMAI), and ACA International. He is admitted to practice law in Texas and Missouri and in the U.S. District Courts for the Northern, Southern, Eastern, and Western Districts of Texas. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Published in Data Privacy and Security and State & Local Regulation

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.