Ashden Fein, Caleb Skeath, Micaela McMurrough, Emily Pehrsson, and Sierra Stubbs of Covington and Burling write:
Oklahoma recently enacted Senate Bill 626, which substantially amends the state’s data breach notification law to broaden the scope of notification obligations and add a new regulator notification requirement along with a new “safe harbor”-style provision that provides liability protections if certain security measures are implemented. The changes to Oklahoma’s law follow changes to other state data breach notification laws within the past year, including New York’s addition of a 30-day deadline for notice to individuals (added in early 2025) and Pennsylvania’s addition of a regulator notification requirement and obligations to provide free credit monitoring (added in mid-2024). Key updates from Oklahoma’s bill, which will go into effect on January 1, 2026, are discussed in further detail below.
Read more about the provisions as Inside Privacy.