North Dakota Data Privacy Laws: Breach Notification & Consumer Rights (2026)
North Dakota takes a sectoral approach to data privacy rather than enacting a single comprehensive consumer privacy law. The state has not passed legislation similar to the California Consumer Privacy Act (CCPA) or the Virginia Consumer Data Protection Act (VCDPA). Instead, North Dakota residents and businesses must navigate several targeted statutes that address specific aspects of data protection.
The most significant of these is N.D. Cent. Code Chapter 51-30, the state's data breach notification law. Additional protections come from Chapter 51-33 on credit security freezes, criminal identity theft statutes, and the recently enacted HB 1127 targeting financial corporation data security. Federal laws including HIPAA, FERPA, and the Gramm-Leach-Bliley Act fill remaining gaps.
This guide covers every North Dakota data privacy statute, what protections they provide, who must comply, and what penalties apply for noncompliance.
North Dakota Data Breach Notification Law (N.D. Cent. Code Chapter 51-30)
North Dakota's data breach notification statute, codified in N.D. Cent. Code Chapter 51-30, has been the state's cornerstone data privacy protection since its enactment in 2005. The law was amended in 2013 by H.B. 1435 and again in 2015 by S.B. 2214 to expand the definitions of protected information and strengthen reporting requirements.
Who Must Comply
Any person or entity that conducts business in North Dakota and owns or licenses computerized data containing personal information must comply with Chapter 51-30. This includes corporations, partnerships, sole proprietors, nonprofit organizations, and government agencies. The law applies regardless of where the entity is headquartered, so long as the data of North Dakota residents is involved.
What Is a Breach Under North Dakota Law
Under Section 51-30-01, a "breach of the security system" means the unauthorized acquisition of computerized data when access to personal information has not been secured by encryption or by any other method or technology that renders the electronic files, media, or databases unreadable or unusable.
There is an important exception: good-faith acquisition of personal information by an employee or agent of the entity does not constitute a breach, provided the personal information is not used or subject to further unauthorized disclosure.
Definition of Personal Information
North Dakota defines "personal information" broadly under Section 51-30-01(4). It means an individual's first name or first initial and last name in combination with any of the following data elements:
| Protected Data Element | Description |
|---|---|
| Social Security number | Full SSN in any format |
| Driver's license or state ID number | North Dakota or any other state's license or non-driver ID |
| Financial account numbers | Bank account, credit card, or debit card numbers with any required security code, access code, or password |
| Date of birth | Month, day, and year of birth |
| Mother's maiden name | As commonly used for security verification |
| Medical information | Health or medical records, health insurance information |
| Employer ID numbers | With any required security code, access code, or password |
| Digital signatures | Electronic signature data |
Information that is publicly available from federal, state, or local government records is excluded from the definition of personal information.
Encryption Safe Harbor
If personal information is encrypted or rendered unreadable or unusable through any method or technology, the data does not meet the definition of "personal information" under the statute. This means that a breach involving only properly encrypted data does not trigger notification obligations. This encryption safe harbor gives businesses a strong incentive to encrypt personal information at rest and in transit.
Notification Requirements to Consumers
Under Section 51-30-02, any entity that experiences a breach must disclose the breach to any North Dakota resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
The notification must be made "in the most expedient time possible and without unreasonable delay." North Dakota does not set a specific day count for consumer notification. The timeline may account for the legitimate needs of law enforcement and measures necessary to determine the scope of the breach and restore the integrity of the data system.
Unlike some states that require a risk-of-harm analysis before notification, North Dakota has no harm threshold. If unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person, notification is required regardless of the likelihood of actual harm.
Notification to the Attorney General
Any entity that experiences a breach affecting more than 250 individuals must also notify the North Dakota Attorney General by mail or electronic mail. There is no specific day count for this notification either, but it must be made without unreasonable delay.
The Attorney General maintains a public data breach notices page where residents can review reported breaches.
Third-Party Notification Obligations
Under Section 51-30-03, any entity that maintains computerized data containing personal information on behalf of another entity (the data owner or licensee) must notify the owner or licensee immediately upon discovery of a breach. The data owner or licensee then bears the responsibility for notifying affected consumers and the Attorney General.
Methods of Notification
Section 51-30-05 establishes three permissible methods for providing breach notification:
Written notice. A letter sent to the individual's last known mailing address.
Electronic notice. Email or other electronic communication, provided the notice complies with the federal Electronic Signatures in Global and National Commerce Act (15 U.S.C. Section 7001).
Substitute notice. An entity may use substitute notice if it demonstrates that the cost of providing direct notice would exceed $250,000, the affected class exceeds 500,000 individuals, or the entity does not have sufficient contact information. Substitute notice requires all three of the following: email notice (if the entity has email addresses), conspicuous posting on the entity's website, and notification to major statewide media.
Delayed Notice for Law Enforcement
Section 51-30-04 allows notification to be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The entity must provide notification as soon as the law enforcement agency advises that the notification will no longer compromise the investigation.
Alternate Compliance
Section 51-30-06 provides that an entity is deemed in compliance with Chapter 51-30 if it maintains its own notification procedures as part of an information security policy, provided those procedures are consistent with the timing requirements of the statute. Entities that comply with breach notification requirements under federal law (such as HIPAA or GLBA) are also considered compliant with North Dakota's law.
Enforcement and Penalties
The North Dakota Attorney General enforces Chapter 51-30 under the authority provided in Chapter 51-15 (the state's consumer fraud statute). Under Section 51-30-07, a violation of Chapter 51-30 is treated as a violation of Chapter 51-15.
| Enforcement Tool | Details |
|---|---|
| Civil penalties | Up to $5,000 per violation |
| Injunctive relief | Temporary or permanent injunction |
| Attorney fees and costs | Recoverable by the state |
| Investigation powers | Full Chapter 51-15 investigative authority |
There is no private right of action under Chapter 51-30. Individual consumers cannot file lawsuits against businesses for breach notification failures. Enforcement authority belongs exclusively to the Attorney General.
HB 1127: Financial Corporation Data Security (Effective August 1, 2025)
In 2025, North Dakota significantly expanded its data protection framework by enacting House Bill 1127, signed by the Governor on April 11, 2025. This law creates Chapter 13-01.2 of the North Dakota Century Code and imposes comprehensive data security requirements on certain financial corporations.
Who Is Covered by HB 1127
HB 1127 applies to financial corporations regulated by the North Dakota Department of Financial Institutions that are not otherwise regulated as banks or credit unions. Covered entities include:
- Trust companies
- Mortgage lenders
- Cryptocurrency kiosk operators
- Collection agencies
- Debt settlement providers
- Money brokers
- Money transmitters
- Payday lenders
Banks, credit unions, and entities already regulated under other frameworks are expressly excluded.
Required Information Security Program
Every covered financial corporation must develop and maintain a comprehensive, written information security program tailored to the organization's size, complexity, and the sensitivity of the customer information it handles. The program must include:
- Designation of one or more employees responsible for overseeing the program
- Risk assessment identifying reasonably foreseeable threats
- Evaluation of existing policies and procedures
- Implementation of appropriate controls to manage identified threats
- Periodic review of data retention policies
Data Disposal Requirements
HB 1127 requires covered entities to securely dispose of all customer information within two years of the information being used in connection with a product or service, unless the information is necessary for ongoing business operations, required to be retained by law, or disposal is not reasonably feasible. Entities must also periodically review their data retention policies to minimize unnecessary retention.
Breach Notification Under HB 1127
Financial corporations covered by HB 1127 must notify the Department of Financial Institutions as soon as possible and no later than 45 days after discovering a breach that involves the information of at least 500 consumers. A breach is considered "discovered" on the first day the institution becomes aware of the event. Knowledge held by any employee, officer, or agent is attributed to the institution.
Penalties Under HB 1127
| Penalty Type | Amount |
|---|---|
| Per-violation fine | Up to $100,000 |
| Continuing violation | $1,000 per day after service of an order |
| Cease-and-desist orders | Issued by the Department of Financial Institutions |
| License consequences | Suspension or revocation |
| Personnel actions | Removal of responsible executives or employees |
These penalties are substantially more severe than those under Chapter 51-30 and reflect the heightened data security expectations for financial institutions.
Insurance Data Security (N.D. Cent. Code Chapter 26.1-02.2)
North Dakota also regulates data security in the insurance industry through Chapter 26.1-02.2 of the North Dakota Century Code. This chapter was updated by Senate Bill 2088 during the 69th Legislative Assembly, with updated requirements effective August 1, 2025.
Who Must Comply
All individuals and entities licensed by the North Dakota Insurance Department must comply, including insurance companies, producers and agencies, third-party administrators, managing general agents, and other licensed organizations.
Key Requirements
Licensed insurers must conduct a self-assessment and implement a written Information Security Program (ISP) commensurate with the licensee's size, complexity, and the nature of its activities. Minimum elements include designating employees to oversee the ISP, identifying reasonably foreseeable threats, assessing the likelihood and impact of those threats, reviewing the sufficiency of existing policies, and implementing appropriate controls.
Cybersecurity Event Reporting
Licensees must promptly investigate potential cybersecurity events and notify the Insurance Commissioner within three business days if certain thresholds are met. The consumer notification standards from Chapter 51-30 are incorporated by reference.
Licensees subject to HIPAA may be exempt from certain ISP requirements, but they are not exempt from the notification obligations to the Insurance Commissioner.
Credit Security Freeze Rights (N.D. Cent. Code Chapter 51-33)
North Dakota law gives consumers the right to place a security freeze on their credit file under Chapter 51-33. A security freeze prohibits a consumer reporting agency from releasing any information in the consumer's credit file without express authorization.
How Credit Freezes Work in North Dakota
A credit security freeze prevents creditors from accessing your credit report, which effectively stops anyone from opening new credit accounts in your name without your knowledge. When you place a freeze, the consumer reporting agency must provide you with a personal identification number (PIN) or password within five business days. You use this PIN to temporarily lift or permanently remove the freeze when needed.
Cost and Timeline
Under both North Dakota law and the federal Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018, credit freezes are free for all consumers. There is no charge to place, temporarily lift, or remove a security freeze.
Enforcement
Chapter 51-33 provides both private enforcement (consumers can sue directly) and enforcement by the Attorney General. This is one of the few North Dakota data privacy statutes that grants individuals a private right of action.
Identity Theft Protections in North Dakota
Criminal Identity Theft Statute
Identity theft is a criminal offense under N.D. Cent. Code Chapter 12.1-23 (Theft and Related Offenses). The statute addresses both identity theft that causes economic loss and identity theft for other purposes.
| Offense Level | Conditions | Maximum Penalty |
|---|---|---|
| Class A misdemeanor | First offense, no economic loss | Up to 360 days in jail, $3,000 fine |
| Class C felony | Economic loss of any amount (first offense) | Up to 5 years in prison, $10,000 fine |
| Class B felony | Economic loss exceeding $1,000 | Up to 10 years in prison, $20,000 fine |
| Class C felony | Second or subsequent offense (any amount) | Up to 5 years in prison, $10,000 fine |
A person can be charged with identity theft regardless of whether the victim suffers actual economic or monetary loss. Simply using another person's identifying information without authorization is sufficient for prosecution.
Reporting Identity Theft
The North Dakota Attorney General's Consumer Protection Division recommends that identity theft victims take immediate steps including:
- File a police report with your local law enforcement agency
- Contact the three major credit bureaus (Equifax, Experian, TransUnion) to place fraud alerts
- Consider placing a credit security freeze under Chapter 51-33
- File a complaint with the FTC at IdentityTheft.gov
- Contact the Attorney General's Consumer Protection Division at (701) 328-3404
Fraud Alerts
North Dakota residents can place a one-year fraud alert on their credit file by contacting any one of the three major credit bureaus. Under federal law, the contacted bureau must notify the other two bureaus. A fraud alert requires creditors to take additional steps to verify your identity before extending credit.
Federal Laws That Protect North Dakota Residents
Because North Dakota has not enacted a comprehensive consumer privacy law, federal statutes play a critical role in protecting residents' personal information.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA protects health information held by covered entities (health plans, health care clearinghouses, and health care providers that transmit health information electronically). Under HIPAA's Privacy Rule, North Dakota residents have the right to access their medical records and request corrections. The North Dakota Department of Health and Human Services oversees state-level compliance.
North Dakota law allows health care providers to charge up to $20 for the first 25 pages of medical records and $0.75 per page thereafter. However, HIPAA's "reasonable, cost-based fee" standard may override this state fee schedule when it provides greater protection to the consumer.
Family Educational Rights and Privacy Act (FERPA)
FERPA protects student education records at institutions receiving federal funding. The North Dakota Department of Public Instruction enforces FERPA compliance across public K-12 schools. Students and parents have the right to inspect education records within 45 days of a request and to request amendments to inaccurate records.
The North Dakota Statewide Longitudinal Data System (SLDS) follows strict state and federal privacy standards, including FERPA, when managing education data across state systems.
Gramm-Leach-Bliley Act (GLBA)
The GLBA requires financial institutions to explain their information-sharing practices and to safeguard sensitive consumer data. The FTC's Safeguards Rule, updated in 2023, requires covered financial institutions to implement comprehensive security programs. North Dakota's HB 1127 was specifically modeled after the GLBA Safeguards Rule to extend similar protections to non-bank financial corporations.
Children's Online Privacy Protection Act (COPPA)
COPPA requires website operators and online services directed at children under 13 to obtain verifiable parental consent before collecting personal information. This federal law applies to all businesses operating in North Dakota that collect data from children online.
Proposed Privacy Legislation
North Dakota has attempted but not yet succeeded in passing comprehensive consumer privacy legislation. During the 2025 legislative session, a proposed bill would have prohibited the sale of a user's protected data without consent and authorized a private right of action with minimum damages. The bill did not advance through the legislative process.
A previous attempt, HB 1330, proposed comprehensive data protection requirements but also failed to pass. As of March 2026, North Dakota remains one of the majority of states that has not enacted a comprehensive consumer data privacy law.
Businesses operating in North Dakota should monitor future legislative sessions, as national momentum toward comprehensive state privacy laws continues to grow. As of early 2026, twenty states have enacted comprehensive consumer privacy laws, increasing the likelihood that North Dakota will consider similar legislation in future sessions.
How North Dakota Compares to Other States
North Dakota's sectoral approach to data privacy differs significantly from states with comprehensive privacy laws. Here is how the state compares on key provisions.
| Feature | North Dakota | California (CCPA/CPRA) | Virginia (VCDPA) | Iowa (ICDPA) |
|---|---|---|---|---|
| Comprehensive privacy law | No | Yes | Yes | Yes |
| Breach notification law | Yes (Ch. 51-30) | Yes (Civ. Code 1798.82) | Yes (Code 18.2-186.6) | Yes (Ch. 715C) |
| AG notification threshold | 250+ individuals | 500+ residents | 1,000+ residents | 500+ residents |
| Specific notification deadline | No set deadline | 72 hours (certain entities) | 60 days | No set deadline |
| Consumer right to access data | No | Yes | Yes | Yes |
| Consumer right to delete data | No | Yes | Yes | Yes |
| Consumer right to opt out of sales | No | Yes | Yes | Yes |
| Private right of action (breach) | No | Yes (limited) | No | No |
| Credit freeze law | Yes (Ch. 51-33) | Yes | Yes | Yes |
| Financial data security law | Yes (HB 1127) | Yes (CCPA applies) | No specific law | No specific law |
Tips for Businesses Operating in North Dakota
Businesses that collect or process personal information of North Dakota residents should take the following steps to ensure compliance with existing state law.
Implement encryption. Encrypting personal information at rest and in transit provides a safe harbor under Chapter 51-30. If a breach occurs but all affected data was properly encrypted, notification obligations are not triggered.
Develop a breach response plan. Have written procedures in place for detecting breaches, assessing scope, notifying affected individuals, and reporting to the Attorney General when more than 250 individuals are affected.
Review third-party contracts. If you share personal information with service providers, ensure contracts require immediate notification to you upon discovery of any breach.
Know your sector-specific obligations. Financial corporations covered by HB 1127 must maintain written information security programs, dispose of customer data within two years, and report breaches to the Department of Financial Institutions within 45 days. Insurance licensees must comply with Chapter 26.1-02.2 cybersecurity requirements.
Monitor legislative developments. North Dakota may enact comprehensive privacy legislation in future sessions. Businesses should stay informed about proposed bills and begin preparing for broader compliance obligations.
Conduct regular risk assessments. Even without a comprehensive state law requiring them, regular security assessments help prevent breaches and demonstrate due diligence.
More North Dakota Laws
North Dakota's data privacy laws are part of a broader set of legal protections. Explore other North Dakota legal topics:
This article provides general legal information about North Dakota data privacy laws. It is not legal advice and does not create an attorney-client relationship. Data privacy laws change frequently. Consult with a qualified attorney licensed in North Dakota for advice about your specific situation.
Sources and References
- N.D. Cent. Code Chapter 51-30: Notice of Security Breach for Personal Information(ndlegis.gov).gov
- N.D. Cent. Code Chapter 51-33: Consumer Credit Report Security Freezes(ndlegis.gov).gov
- N.D. Cent. Code Chapter 12.1-23: Theft and Related Offenses(ndlegis.gov).gov
- N.D. Cent. Code Chapter 26.1-02.2: Insurance Data Security(ndlegis.gov).gov
- N.D. Cent. Code Chapter 51-15: Consumer Fraud(ndlegis.gov).gov
- North Dakota HB 1127: Financial Corporation Data Security(ndlegis.gov).gov
- North Dakota Attorney General: Data Breach Notices(attorneygeneral.nd.gov).gov
- North Dakota Attorney General: Identity Theft Resources(attorneygeneral.nd.gov).gov
- North Dakota Attorney General: Credit Security Freeze(attorneygeneral.nd.gov).gov
- North Dakota Insurance Department: Cybersecurity Reporting(insurance.nd.gov).gov
- North Dakota Department of Financial Institutions(nd.gov).gov
- North Dakota DPI: FERPA(nd.gov).gov
- North Dakota HHS: HIPAA Privacy(hhs.nd.gov).gov
- North Dakota SLDS: Privacy(slds.nd.gov).gov
- FTC: Gramm-Leach-Bliley Act(ftc.gov).gov
- HHS: HIPAA(hhs.gov).gov
- Federal E-SIGN Act(govinfo.gov).gov