Click here to review text of state statute (see Okla. Stat., Title 24, §§ 161 to 166).
[For specific rules applicable to state agencies – see Okla. Stat. §§74-3113.1.]
Information Covered / Important Definitions
Personal information of Oklahoma residents.
“Security Breach” means unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained as part of a database of personal information regarding multiple individuals and that causes, or the covered entity reasonably believes caused or will cause, identity theft or other fraud to any Oklahoma resident.
“Encrypted” means transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, or rendering the data elements unreadable or unusable by other means.
“Redact” means alteration or truncation of data such that no more than five digits of a social security number or the last four digits of a driver license number, state identification card number, or account number are part of the data.
Covered Entities* / Third Party Recipients
Subject to statute:
An individual or entity that owns or licenses computerized information that includes personal information.
Third party recipients:
Any covered entity that maintains computerized data containing personal information that the covered entity does not own or license must notify the owner or licensee of the information of any security breach immediately as soon as practicable following discovery of the breach.
Notice Procedures & Timing / Other Obligations
Written, telephonic, or electronic notice must be provided to victims of a security breach without unreasonable delay, unless a law enforcement agency determines that notice will impede a criminal or civil investigation or jeopardize homeland or national security (in which case notification is delayed until authorized by law enforcement).
- Substitute notice is available by means prescribed in the statute if costs to exceed $50,000, affected class exceeds 100,000 persons, or covered entity has insufficient contact information or does not have consent to provide notice otherwise.
- Notification required solely in the case of breaches that the covered entity reasonably believes has caused or will cause identity theft or other fraud to any Oklahoma resident.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted or redacted. A breach must also be disclosed if the encryption key is compromised.
Exemption for good faith acquisition of personal information by an employee or agent of a covered entity for the purposes of the covered entity so long as the personal information is not used for an unlawful purpose or subject to further unauthorized disclosure.
A covered entity is deemed in compliance with the Oklahoma statute if it maintains and complies with its own notification procedures as part of an information privacy or security policy and whose procedures are consistent with the timing requirements of the Oklahoma statute.
A covered entity that complies with the notification requirements imposed by its primary or functional federal regulator is deemed in compliance with the Oklahoma statute.
Financial institutions subject to and in compliance with federal interagency guidelines are exempt.
Notification to Regulator / Waiver
A determination of no likelihood of harm: Does not require notification to attorney general.
Actual damages resulting from a violation of the statute or a civil penalty not to exceed $150,000 per breach.
Violations of the statute by state-chartered or state-licensed financial institutions may only be enforced by the primary state regulator of the institution.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute (see Okla. Stat., Title 24, §§ 161 to 166)