As we noted in a recent guest column in The Journal Record found here, the Oklahoma Legislature is taking efforts to update old laws regarding notification of security breaches.
On January 14, 2025, Sen. Brent Howard and Rep. John Pfeiffer introduced Senate Bill 626, which amends and updates Oklahoma’s Security Breach Notification Act, 24 Okla. Stat. § 161 et seq. That Act currently requires that businesses provide notice to individuals if certain personal information held by the business becomes the subject of unauthorized access. Senate Bill 626 adds a requirement for businesses to notify the state attorney general if a breach affects 500 or more Oklahoma residents. If signed into law, the bill would go into effect on January 1, 2026.
The bill also modifies the civil penalties that the attorney general may seek under the Act. Currently, violations of the Act are subject to suits brought by the attorney general or a local district attorney in which actual damages and a civil penalty of no more than $150,000 may be sought. These penalties have sparked debate among lawmakers, with some arguing stricter penalties are necessary to protect Oklahomans’ personal information and others expressing concern for how penalties could affect small businesses. Senate Bill 626 appears to try to strike a compromise to this dispute by reducing penalties in half for businesses that provide Act-required notices and eliminating penalties altogether for businesses that provide notice and use “reasonable safeguards” to try and protect personal information.
The bill also adds to the definition of what constitutes protected personal information requiring a notice under the Act. Oklahoma law currently requires notice of unauthorized access to unencrypted social security numbers, driver’s license numbers, and certain financial information. Senate Bill 626 adds “unique biometric data” to that list, and defines the same to include fingerprints, retina images, and other unique physical or digital representations of biometric data. The scope of the Act has, however, also sparked debate with some seeking broader protection and others seeking exemptions to notice requirements.
After passing the Senate on March 27, 2025, Attorney General Gentner Drummond publicly applauded the Oklahoma Legislature for taking “an important step in protecting Oklahoma’s citizens and businesses from the ever-growing threat of cybercrime.” Earlier this month, the House passed an amended version of the bill that removed reference to rules to be promulgated by the attorney general concerning notice and clarified that attorney general notice is required of the business that owns or licenses the computerized data that is the subject of breach.
While it seems likely that the amended version will pass the Senate and proceed to Governor Stitt’s desk by month’s end – which is the end of the legislative session – debates still loom, and it is uncertain whether Senate Bill 626 will ultimately be made into law. It is clear, however, that state lawmakers have privacy legislation on their minds. As a result, businesses should assess the privacy policies and security safeguards they have in place for personal data and keep an eye on this year’s legislative session as these new notice requirements may be in effect as early as next year.
