Lathrop GPM LLP
What law(s) specifically govern personal data / information?
North Dakota does not have a general data privacy law in effect.
North Dakota laws and regulations related to personal data include:
- Notice of Security Breach for Personal Information
- Banks and Banking - Disclosure of Customer Information
- Disclosure of Customer Information by Financial Institutions
- Identity Fraud
- Consumer Credit Report Security Freezes
- New Law for Financial Corporations: H.B. 1127, effective August 1, 2025, imposes specific data security obligations, including written security programs, risk assessments, and breach reporting for certain “financial corporation” not otherwise regulated as banks or credit unions.
What are the key data protection principles in this jurisdiction?:
There are no specific principles.
What is the supervisory authority / regulator in charge of data protection?
There are no specific principles.
Is there a requirement to register with a supervisory authority / regulator?
No.
Is there a requirement to notify the supervisory authority / regulator?
No.
Is it possible to register with / notify the supervisory authority / regulator online?
N/A.
What are the key data subject rights under the data protection laws of this jurisdiction?
None.
Is there a requirement to appoint a data protection officer (or equivalent)?
No.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
No.
Does this jurisdiction have any specific data breach notification requirements?
Yes, as follows:
Notice of Security Breach for Personal Information
N.D. Cent. Code §§ 51-30-01 to 51-30-07
Application. Any Entity that conducts business in North Dakota and that owns or licenses computerised data that includes Personal Information.
Security Breach Definition. Unauthorised acquisition of computerised data when access to Personal Information has not been secured by encryption or by any other method or technology that renders the electronic files, media, or databases unreadable or unusable.
- Good-faith acquisition of Personal Information by an employee or agent of the Entity is not a breach of the security of the system if the Personal Information is not used or subject to further unauthorised disclosure.
Notification Obligation. Any Entity to which the statute applies shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of North Dakota whose unencrypted Personal Information was, or is reasonably believed to have been, acquired by an unauthorised person.
Attorney General Notification. Any person that experiences a breach of the security system shall disclose to the Attorney General by mail or email any breach of the security system that exceeds 250 individuals.
Third-Party Data Notification. Any person that maintains computerised data that includes Personal Information that the person does not own shall notify the owner or licensee of the information of the breach of the security of the data immediately following the discovery if the Personal Information was, or is reasonably believed to have been, acquired by an unauthorised person.
Timing of Notification. In the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the integrity of the data system.
Personal Information Definition. An individual's first name or first initial and last name in combination with any of the following data elements, when the name and the data elements are not encrypted:
- Social Security number;
- The operator's license number assigned to an individual by the Department of Transportation;
- A non-driver colour photo identification card number assigned to the individual by the Department of Transportation;
- An account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial accounts;
- The individual's date of birth;
- The maiden name of the individual's mother;
- Medical information;
- Health insurance information;
- An identification number assigned to the individual by the individual's employer in combination with any required security code, access code, or password; or
- The individual's digitized or other electronic signature.
Personal Information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notice Required. Notice may be provided by one of the following methods:
- Written notice; or
- Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-Sign Act).
Substitute Notice Available. If the Entity demonstrates that the cost of providing notice would exceed USD $250,000, the affected class of subject individuals to be notified exceeds 500,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
- Email notice when the Entity has email addresses for the subject persons;
- Conspicuous posting of the notice on the Entity's website, if the Entity maintains one; and
- Notification to major statewide media.
Exception: Own Notification Policy. An Entity that maintains its own notification procedures as part of an information security policy for the treatment of Personal Information and is otherwise consistent with the timing requirements of this chapter is deemed to be in compliance with the notification requirements of this chapter if the Entity notifies subject individuals in accordance with its policies in the event of a breach of security of the system.
Exception: Compliance with Other Laws.
- Interagency Guidance. A financial institution, trust company, or credit union that is subject to, examined for, and in compliance with the Federal Interagency Guidance on Response Programs for Unauthorised Access to Customer Information and Customer Notice is deemed to be in compliance with this chapter.
- HIPPA. A covered entity, business associate, or subcontractor that is subject to the breach notification requirements of title 45 of the Code of Federal Regulations, part 164, subpart D, is considered to be in compliance with this chapter.
Other Key Provisions:
- Delay for Law Enforcement. The notification required by this chapter may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The required notification must be made after the law enforcement agency determines that the notification will not compromise the investigation.
- Attorney General Enforcement.
What restrictions apply to the international transfer of personal data / information?
None.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
No.
What rules specifically deal with marketing?
None.
Do different rules apply to business-to-business and business-to-consumer marketing?
No.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
None.
Federal laws such as CAN-SPAM and TCPA apply.
What rules specifically deal with cookies?
None.
What are the consequences of non compliance with data protections laws (including marketing laws)?
There is no state regulator except for the North Dakota Attorney General who may impose fines under the data breach notification statutes noted above.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
In the absence of a broad data privacy law only data breach notification law requires attention.
What upcoming data protection developments should multinational organisations be aware of?
None.
Disclaimer:
© 2025, Lathrop GPM LLP. All rights reserved by Lathrop GPM LLP as author and the owner of the copyright in this chapter. Lathrop GPM LLP has granted to Multilaw non-exclusive worldwide license to use and include this chapter in this guide and to sublicense Lexis Nexis, a division of RELX Inc. and its affiliates certain rights to use and distribute this Guide.
The information in the International Data Protection Laws Guide provides a general overview at the time of publication and is not intended to be a comprehensive review of all legal developments nor should it be taken as opinion or legal advice on the matters covered. It is for general information purposes only and readers should take legal advice from a Multilaw member firm.