A. An individual or entity that owns or licenses computerized data that includes personal information shall provide notice of any breach of the security of the system following determination or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state. Except as provided in subsection D of this section or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system, the disclosure shall be made without unreasonable delay. B. An individual or entity shall provide notice of the breach of the security of the system if encrypted or redacted information is accessed and acquired in an unencrypted or unredacted form or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such breach has caused or will cause identity theft or other fraud to any resident of this state. C. An individual or entity that maintains computerized data that includes personal information that the individual or entity does not own or license shall provide notice to the owner or licensee of the information of any breach of the security of the system as soon as practicable following determination, if the personal information was or if the entity reasonably believes it was accessed and acquired by an unauthorized person. D. Notice required by this section may be delayed if a law enforcement agency determines and advises the individual or entity that the notice will impede a criminal or civil investigation or homeland or national security. Notice required by this section must be made without unreasonable delay after the law enforcement agency determines that notification will no longer impede the investigation or jeopardize national or homeland security. E. 1. An individual or entity required to provide notice in accordance with subsection A or B of this section shall also provide notice to the Attorney General of such breach without unreasonable delay but in no event more than sixty (60) days after providing notice to impacted residents of this state as required by this section. The notice shall include the date of the breach, the date of its determination, the nature of the breach, the type of personal information exposed, the number of residents of this state affected, the estimated monetary impact of the breach to the extent such impact can be determined, and any reasonable safeguards the entity employs. 2. A breach of a security system where fewer than five hundred (500) residents of this state are affected within a single breach shall be exempt from the notice requirements of paragraph 1 of this subsection. 3. A breach of a security system maintained by a credit bureau where fewer than one thousand (1,000) residents of this state are affected within a single breach shall be exempt from the notice requirements of paragraph 1 of this subsection. F. Any personal information submitted to the Attorney General shall be kept confidential pursuant to Section 24A.12 of Title 51 of the Oklahoma Statutes.
‹ Prev All Oklahoma sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.