Hunton Andrews Kurth writes:
On April 11, 2025, the North Dakota governor signed H.B. 1127 (the “Act”), which establishes new data security measures and breach notification obligations for financial corporations. Covered entities include those that are regulated by the North Dakota Department of Financial Institutions and exclude financial institutions, such as banks, and credit unions.
Key requirements, which mirror requirements under the federal Gramm-Leach-Bliley Act Safeguards Rule, include the following:
- implementing a comprehensive information security program, including maintaining appropriate administrative, technical and physical safeguards;
- designating a qualified individual responsible for overseeing, implementing and enforcing the financial corporation’s information security program;
- basing an information security program on periodic risk assessments that incorporate designated content requirements and identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information, and reassessing the sufficiency of any safeguards in place to control these risks;
- implementing safeguards to control the risks identified through the risk assessment, including but not limited to (1) implementing and periodically reviewing access controls; (2) implementing encryption of customer information held or transmitted by the financial corporation both in transit over external networks and at rest; (3) adopting secure development practices for in-house developed applications; (4) implementing multifactor authentication for any individual accessing any information system (unless the financial corporation’s qualified individual has approved in writing the use of a reasonably equivalent or more secure access control); (5) monitoring and logging user activity and (6) conducting continuous monitoring or periodic penetration testing and vulnerability assessments;
Read more of the requirements at Privacy & Information Security Law Blog. They also report:
The Act also imposes new requirements regarding security incidents (i.e., “notification events”). A “notification event” means the acquisition of unencrypted customer information without the authorization of the individual to which the information pertains. Financial corporations must notify the Department of Financial Institutions as soon as possible and no later than 45 days after discovering a notification event that involves the information of at least 500 consumers. Notably, the Act specifies that a notification event “must be treated as discovered on the first day when the event is known to the financial corporation. A financial corporation is deemed to have knowledge of a notification event if the event is known to any employee, officer, or other agent of the financial corporation, other than the person committing the breach.” The Act will take effect on August 1, 2025.