Melissa Pascualini of Jackson Lewis
The Oklahoma State Legislature recently enacted Senate Bill 626, amending its Security Breach Notification Act, effective January 1, 2026, to address gaps in the state’s current cybersecurity framework (the “Amendment”). The Amendment includes new definitions, mandates reporting to the state Attorney General, clarifies compliance with similar laws, and provides revised penalty provisions, including affirmative defenses.
Definitions
The Amendment provides clearer definitions related to security breaches, specifying what constitutes “personal information” and “reasonable safeguards.”
- Personal Information: The existing definition for “Personal Information” was expanded to also include (1) a unique electronic identifier or routing code in combination with any required security code, access code, or password that would permit access to an individual’s financial account and (2) unique biometric data such as a fingerprint, retina or iris image, or other unique physical or digital representation of biometric data to authenticate a specific individual.
- Reasonable Safeguards: The Amendment provides an affirmative defense in a civil action under the law for individuals or entities that have “Reasonable safeguards” in place, which are defined as “policies and practices that ensure personal information is secure, taking into consideration an entity’s size and the type and amount of personal information. The term includes, but is not limited to, conducting risk assessments, implementing technical and physical layered defenses, employee training on handling personal information, and establishing an incident response plan”.
Read about the mandated reporting requirements and exceptions on The National Law Review.