On April 11, 2025, the North Dakota governor signed H.B. 1127 (the “Act”), which establishes new data security measures and breach notification obligations for financial corporations. Covered entities include those that are regulated by the North Dakota Department of Financial Institutions and exclude financial institutions, such as banks, and credit unions.
Key requirements, which mirror requirements under the federal Gramm-Leach-Bliley Act Safeguards Rule, include the following:
- implementing a comprehensive information security program, including maintaining appropriate administrative, technical and physical safeguards;
- designating a qualified individual responsible for overseeing, implementing and enforcing the financial corporation’s information security program;
- basing an information security program on periodic risk assessments that incorporate designated content requirements and identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information, and reassessing the sufficiency of any safeguards in place to control these risks;
- implementing safeguards to control the risks identified through the risk assessment, including but not limited to (1) implementing and periodically reviewing access controls; (2) implementing encryption of customer information held or transmitted by the financial corporation both in transit over external networks and at rest; (3) adopting secure development practices for in-house developed applications; (4) implementing multifactor authentication for any individual accessing any information system (unless the financial corporation’s qualified individual has approved in writing the use of a reasonably equivalent or more secure access control); (5) monitoring and logging user activity and (6) conducting continuous monitoring or periodic penetration testing and vulnerability assessments;
- implementing a written incident response plan that addresses (1) the goals of the plan; (2) internal processes for responding to a security event; (3) clear roles, responsibilities, and levels of decision-making authority; (4) external and internal communications and information sharing; (5) requirements for remediating identified weaknesses in information systems and controls; (6) documentation and reporting regarding security events and related incident response activities and (7) evaluation and revision of the plan as necessary after a security event;
- providing personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment;
- overseeing service providers by (1) taking reasonable steps to select and retain service providers capable of maintaining appropriate reasonable safeguards for customer information; (2) contractually requiring them to implement and maintain these safeguards and (3) periodically assessing the service providers based on the risk they present and the adequacy of their safeguards.
- requiring the qualified individual provide reports in writing, at least annually, to the financial corporation’s board of directors or equivalent governing body addressing (1) the overall status of the security program and compliance with the Act and (2) material matters related to the information security program (e.g., risk assessments, security events, and recommendations for changes to the program).
The Act also imposes new requirements regarding security incidents (i.e., “notification events”). A “notification event” means the acquisition of unencrypted customer information without the authorization of the individual to which the information pertains. Financial corporations must notify the Department of Financial Institutions as soon as possible and no later than 45 days after discovering a notification event that involves the information of at least 500 consumers. Notably, the Act specifies that a notification event “must be treated as discovered on the first day when the event is known to the financial corporation. A financial corporation is deemed to have knowledge of a notification event if the event is known to any employee, officer, or other agent of the financial corporation, other than the person committing the breach.” The Act will take effect on August 1, 2025.