North Dakota Data Breach Notification Laws: Reporting Rules & Timelines (2026)
If your business handles personal information belonging to North Dakota residents, a data breach triggers specific legal obligations under the state's Notice of Security Breach for Personal Information law. N.D. Cent. Code Chapter 51-30 sets out who must be notified, what information triggers the duty, and how quickly you need to act. Originally enacted in 2005, the statute has been amended several times, most notably in 2015 to add the Attorney General notification requirement and expand the definition of personal information.
This guide covers the full scope of North Dakota's breach notification requirements, including what personal information triggers the law, who must be notified, the timeline, enforcement penalties, exemptions, and how the law connects to the state's [broader data privacy framework](/us-laws/data-privacy-laws/north-dakota-data-privacy-laws).
Who Must Comply With North Dakota's Breach Notification Law
North Dakota's breach notification law applies to any person that conducts business in the state and owns or licenses computerized data that includes personal information. The term "person" covers individuals, corporations, business trusts, estates, partnerships, associations, and any other legal entity.
The law also applies to any person that maintains computerized data belonging to another entity. If a third party discovers a breach of data it maintains on behalf of an owner, it must notify the data owner as expeditiously as possible. The data owner then carries the responsibility of notifying affected consumers and the Attorney General.
What Qualifies as a Security Breach
Under N.D. Cent. Code 51-30-01, a breach of the security system means the unauthorized acquisition of computerized data when access to personal information has not been secured by encryption or by any other method or technology that renders the electronic files, media, or databases unreadable or unusable.
The key term is "unauthorized acquisition." Mere unauthorized access, without actual acquisition of data, does not trigger the statute.
Good Faith Exception
A good faith acquisition of personal information by an employee or agent of the person owning the data does not constitute a breach, provided the personal information is not used for a purpose unrelated to the business or subject to further unauthorized disclosure.
The Encryption Safe Harbor
North Dakota provides one of the cleaner encryption safe harbors among state breach notification laws. If personal information was secured by encryption or any other method that renders the data unreadable or unusable, the incident does not qualify as a breach and no notification is required. Unlike some states, there is no carve-out requiring the encryption key to have remained uncompromised.
What Personal Information Triggers the Law
Under N.D. Cent. Code 51-30-01, personal information means an individual's first name or first initial and last name in combination with any of the following data elements:
- Social Security number
- Driver's license or state identification card number
- Financial institution account number, credit card number, or debit card number in combination with any required security code, access code, or password
- Date of birth
- Mother's maiden name
- Medical information
- Health insurance information (policy number, subscriber ID, or any unique identifier used by a health insurer)
- An identification number assigned by an employer, in combination with any required security code
- Digitized or other electronic signature
- Military ID number
North Dakota's definition of personal information is notably broader than many states. The inclusion of employer-assigned ID numbers, military ID numbers, and health insurance information reflects amendments that expanded the law beyond its original scope.
Personal information does not include publicly available information lawfully made available to the general public from federal, state, or local government records.
Notification Timeline
North Dakota requires notification "in the most expedient time possible and without unreasonable delay." The statute allows for delays that are:
- Consistent with the legitimate needs of law enforcement
- Consistent with any measures necessary to determine the scope of the breach
- Necessary to restore the integrity of the data system
There is no fixed deadline measured in days. However, the "most expedient time possible" language sets a higher standard than states that use only "without unreasonable delay."
Law enforcement may request a delay if notification would compromise a criminal investigation.
Who Must Be Notified
Affected Individuals
Every North Dakota resident whose unencrypted personal information was acquired by an unauthorized person must receive notification. The notice must include:
- A description of the incident in general terms
- The type of personal information subject to the breach
- General acts of the business to protect the personal information from further breach
- Contact information for the business, including a telephone number
Attorney General
Under N.D. Cent. Code 51-30-02, the North Dakota Attorney General must be notified when a breach affects 250 or more individuals. The AG disclosure must include:
- The nature of the breach
- The number of North Dakota consumers affected
- Steps the entity has taken to investigate and remediate
- The timing, distribution, and content of the notice provided to consumers
The 250-person threshold is relatively low compared to many states, reflecting North Dakota's approach to ensuring the Attorney General has visibility into smaller breaches.
Methods of Notification
Businesses can provide notification through:
- Written notice sent to the individual's last known address
- Electronic notice consistent with the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act)
- Telephone notice directly to the affected individual
Substitute Notice
Substitute notice is available if the business demonstrates that:
- The cost of providing notice would exceed $250,000, or
- The affected class exceeds 500,000 individuals, or
- The business does not have sufficient contact information
Substitute notice must include: email notice (where available), conspicuous posting on the business's website, and notification to major statewide media.
Enforcement and Penalties
North Dakota's breach notification law is enforced exclusively by the Attorney General. Under N.D. Cent. Code 51-30-07, the AG has all the powers and may seek all the remedies available under NDCC Chapter 51-15, the state's consumer fraud statute.
Penalties
- Civil penalties of up to $5,000 per violation
- Each failure to notify an individual may constitute a separate violation
- Temporary or permanent injunctive relief
- Attorney's fees, costs, and investigation expenses
No Private Right of Action
There is no private right of action under North Dakota's breach notification law. Only the Attorney General can bring enforcement actions. Affected individuals cannot sue businesses directly under this statute for breach notification failures.
Exemptions
HIPAA Compliance Exemption
Any covered entity, business associate, or subcontractor subject to breach notification requirements under 45 CFR Part 164, Subpart D (the HIPAA Breach Notification Rule) is deemed in compliance with North Dakota's law, provided they comply with the federal requirements.
Financial Institution Exemption
Financial institutions subject to and in compliance with the federal Gramm-Leach-Bliley Act interagency guidance on breach notification are also exempt from separate compliance with the state statute.
Alternate Compliance
Under N.D. Cent. Code 51-30-06, any entity that maintains its own notification procedures as part of an information privacy or security policy is deemed in compliance, provided those procedures are consistent with the timing requirements of the state law.
Third-Party Data Maintainer Obligations
Under N.D. Cent. Code 51-30-03, any person that maintains computerized data belonging to another entity must notify the data owner of any security breach immediately following discovery. This obligation is in addition to any contractual notification requirements. The data owner then bears responsibility for notifying affected consumers and the Attorney General.
More North Dakota Laws
- North Dakota Whistleblower Laws
- North Dakota Recording Laws
- North Dakota Recording Laws
- North Dakota Recording Laws
- North Dakota Data Privacy Laws
- North Dakota Recording Laws
- North Dakota Recording Laws
- North Dakota Recording Laws
Sources and References
This article draws from the following official North Dakota government sources:
- N.D. Cent. Code Chapter 51-30 (Notice of Security Breach for Personal Information) - Full text of North Dakota's breach notification statute
- N.D. Cent. Code Chapter 51-30 (PDF version) - PDF of the complete statute text
- North Dakota Attorney General: Data Breach Notices - AG breach reporting portal
- North Dakota Attorney General: Preventing Identity Theft - Consumer identity theft prevention resources
This article provides general legal information about North Dakota data privacy laws and breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in North Dakota for guidance specific to your situation.
Sources and References
- N.D. Cent. Code Chapter 51-30 - Notice of Security Breach(ndlegis.gov).gov
- NDCC Chapter 51-30 (PDF)(ndlegis.gov).gov
- North Dakota AG - Data Breach Notices(attorneygeneral.nd.gov).gov
- North Dakota AG - Preventing Identity Theft(attorneygeneral.nd.gov).gov
- NDCC Chapter 51-15 - Consumer Fraud(ndlegis.gov).gov